APT28 Targeted European Entities Using Webhook-Based Macro Malware - The Hacker News

APT28 Targeted European Entities Using Webhook-Based Macro Malware Ravie LakshmananFeb 23, 2026Malware / Threat Intelligence The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe. The activity, per S2 Grupo's LAB52 threat intelligence team, was active between September 2025 and January 2026. It has been codenamed Operation MacroMaze. "The campaign relies on basic tooling and the exploitation of legitimate services for infrastructure and data exfiltration," the cybersecurity company said. The attack chains employ spear-phishing emails as a starting point to distribute lure documents that contain a common structural element within their XML, a field named "INCLUDEPICTURE" that points to a webhook[.]site URL that hosts a JPG image. This, in turn, causes the image file to be fetched from the remote server when the document is opened. Put differently, this mechanism acts as a beacon akin to a tracking pixel that triggers an outbound HTTP request to the webhook[.]site URL upon opening the document. The server operator can log metadata associated with the request, confirming that the document was indeed opened by the recipient. LAB52 said it identified multiple documents with slightly tweaked macros between late September 2025 and January 2026, all of which function as a dropper to establish a foothold on the compromised host and deliver additional payloads. "While the core logic of all the macros detected remains consistent, the scripts show an evolution in evasion techniques, ranging from 'headless' browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts," the Spanish cybersecurity company explained. The macro is designed to execute a Visual Basic Script (VBScript) to move the infection to the next stage. The script, for its part, runs a CMD file to establish persistence via scheduled tasks and launch a batch script for rendering a small Base64-encoded HTML payload in Microsoft Edge in headless mode to evade detection, retrieve a command from the webhook[.]site endpoint, execute it, capture its out, and exfiltrate it to another webhook[.]site instance in the form of an HTML file. A second variant of the batch script has been found to eschew headless execution in favor of moving the browser window off-screen, followed by aggressively terminating all other Edge browser processes to ensure a controlled environment. "When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction," LAB52 said. "This browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk." "This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  APT28, cybersecurity, data exfiltration, Malware, Microsoft Edge, Threat Intelligence, Webhook Trending News Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Load More ▼ Popular Resources Get the 2026 ASV Report to Benchmark Top Validation Tools Guide - Discover How to Validate AI Risks With Adversarial Testing Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Fix Security Noise by Focusing Only on Validated Exposures