Researchers at LAB52 have uncovered a new campaign, dubbed ‘Operation MacroMaze,’ attributed to APT28 aka Fancy Bear, Forest Blizzard and FROZENLAKE. Active from at least late September 2025 through January 2026, the operation has targeted selected entities in Western and Central Europe using basic tooling and legitimate web services to blend malicious activity with normal traffic.
The campaign uses spear-phishing documents containing slightly different macro variants. All analyzed documents embed an INCLUDEPICTURE field within their XML (w:instrText) that references a remote image hosted on webhook[.]site. When opened and fields are updated, Microsoft Word retrieves the external resource (docopened.jpg), generating an outbound HTTP request that allows operators to confirm document execution via server-side logging.
The researchers found four macro variants, all of them functioning as droppers. They write six files (VBS, BAT, CMD, HTM and XHTML components) into the %USERPROFILE% directory using GUID-like filenames. The initial VBScript launches a CMD file that orchestrates sequential execution of the remaining scripts and establishes persistence by dynamically generating a Scheduled Task through a runtime-created XML definition imported with schtasks.
“While the core logic of all the macros detected remains consistent, the scripts show an evolution in evasion techniques, ranging from “headless” browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts,” the report notes.
The task executes a VBScript in the user profile directory with a batch file argument and is configured with recurring triggers set to 20, 30 or 61 minutes depending on the variant. After registration, the XML definition, the initial VBScript and the task-creation script are deleted.
The VBScript wrapper executes commands silently via WScript.Shell.Run with error suppression. Two batch variants were observed, each following a multi-stage workflow that renders a Base64-encoded HTML payload in Microsoft Edge, redirects to webhook[.]site to download file fragments, reconstructs a randomly named CMD file in the Downloads directory, executes it while capturing output, and merges the results with HTM and XHTML templates to generate a final HTML file for exfiltration to another webhook[.]site instance.
Built-in 20-second delays ensure browser rendering completes before execution continues, and all artifacts are removed at the end of the process.
The researchers said they were not able to retrieve the command file generated to collect system information, but they noted that based on the analysis of a previous APT28-linked campaign involving similar kill chain and TTPs it is likely that this stage deploys an information-gathering payload.