- APT28 (Fancy Bear) has reportedly been running “Operation MacroMaze” since September 2025
- Spear phishing emails with macro-filled Word documents are used to drop info thieves
- The attack chain relies on simple scripts and HTML, maximizing stealth and persistence
APT28, the notorious Russian state-sponsored hacking group also known as Fancy Bear or Sofacy, has been observed targeting “specific entities” in Western and Central Europe with info stealers.
In a recently published report, security researchers Lab52 from S2 Grupo described “Operation MacroMaze”, which has been ongoing since at least late September 2025 to January 2026.
The campaign starts with a very personal spear-phishing email. The topics and content vary, but they are mostly related to diplomatic themes. In one instance, the researchers said they saw a slightly altered copy of official diplomatic agendas being distributed.
Word documents and macros
Emails would come with a macro-laden Microsoft Office Word document. Macros are small programs or scripts that can be created in Microsoft Word to automate repetitive tasks. However, they were so heavily abused over the years that Microsoft disabled them by default, especially for files downloaded from the Internet.
However, the attackers carefully designed the Word files around this fact, tricking the victims into enabling macros and running the malicious code. Lab52 also said the malware was designed to notify the attackers when the victim actually executes the file.
When they do, they trigger a chain reaction that, instead of dropping a single infostealer malware variant, drops several small scripts and HTML templates.
These established persistence, reconstructed a command payload from downloaded fragments, collected basic system information, and exfiltrated the results via an auto-submit HTML form.
“This campaign proves that simplicity can be powerful,” explained the researchers. “The attacker uses very basic tools (batch files, tiny VBS launchers, and simple HTML), but arranges them carefully to maximize stealth: moving operations to hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widespread webhook services.”
The group behind Operation MacroMaze, APT28, has been actively involved in Russia’s “Special Military Operation” attacking Ukrainian infrastructure and its allies as it takes the war against Ukraine into cyberspace.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
