The Invisible Edge: APT28’s “Operation MacroMaze” Hijacks Browsers via Webhook Lures

The APT28 syndicate has orchestrated a series of surgical strikes against organizations across Western and Central Europe, employing a deceptive yet meticulously crafted scheme involving macros and webhooks. This offensive, designated “Operation MacroMaze”, was documented by the LAB52 team at S2 Grupo. Their findings indicate that the campaign persisted from September 2025 through January 2026, relying on a sophisticated synergy of rudimentary instruments and legitimate online services.

The incursions commenced with bespoke emails directed at specific personnel. These missives contained attachments harboring an XML element titled “INCLUDEPICTURE”, which referenced an image hosted on webhook[.]site. Upon opening the file, an automated HTTP request was triggered to the remote server. This mechanism functioned as a sophisticated tracking pixel, notifying the adversaries that the lure had been engaged and allowing them to harvest technical telemetry without requiring further interaction from the victim.

Since late September, researchers have identified several iterations of documents featuring modified macros. Each functioned as a primary loader, establishing persistence within the host system to facilitate the deployment of supplementary components. While the underlying logic remained consistent, the obfuscation techniques evolved; early versions launched Microsoft Edge in a headless, invisible state, whereas subsequent variants utilized the SendKeys function to simulate keystrokes, thereby circumventing system security prompts.

The macro initiated a VBScript which, in turn, triggered a command file. This file orchestrated a task within the system scheduler to ensure long-term persistence and executed a batch script. The final stage involved opening a compact HTML file containing Base64-encoded content within Microsoft Edge; the browser then retrieved commands from one webhook address, executed them, and exfiltrated the results to a secondary server as an HTML document. In an alternative configuration, rather than employing a fully headless mode, the browser window was positioned beyond the physical coordinates of the display, while all unrelated Edge processes were terminated to maintain a pristine execution environment.

Upon the rendering of the HTML file, a form was automatically submitted, transmitting the command results to the remote server without user intervention. This strategy leveraged standard browser protocols to transmit data while minimizing the forensic footprint left upon the physical disk.

LAB52 emphasizes that this campaign underscores a sobering reality: ostensibly simple tools, when organized with strategic precision, can achieve profound efficacy. By utilizing rudimentary batch files, VBScripts, and basic HTML—all while camouflaging operations within invisible browser sessions and leveraging ubiquitous webhook services—the adversaries successfully navigated the boundary between stealth and simplicity to facilitate data exfiltration.