- APT28 (Fancy Bear) is reported to be running “Operation MacroMaze” from September 2025
- Phishing emails with macro-laden Word documents used to eliminate information thieves
- The attack chain is based on simple scripts and HTML, maximizing stealth and persistence.
APT28, the infamous Russian state-sponsored hacking group also known as Fancy Bear or Sofacy, has been observed targeting “targeted entities” in Western and Central Europe with information stealers.
In a recently published report, Lab52 security researchers from S2 Group detailed “Operation MacroMaze,” which has been ongoing since at least late September 2025 through January 2026.
The campaign begins with a highly personalized phishing email. The topics and content vary, but are mostly related to diplomatic issues. In one case, investigators said they saw a slightly altered copy of official diplomatic agendas being distributed.
Word documents and macros.
The emails would come with a Microsoft Office Word document packed with macros. Macros are small programs or scripts that can be created within Microsoft Word to automate repetitive tasks. However, they were so abused over the years that Microsoft disabled them by default, especially for files downloaded from the Internet.
However, attackers carefully crafted Word files around that fact, tricking victims into enabling macros and executing malicious code. Lab52 also said that the malware was designed to notify attackers when the victim actually executes the file.
When they do so, they trigger a chain reaction that, instead of removing a single variant of information-stealing malware, removes multiple small scripts and HTML templates.
These established persistence, reconstructed a command payload from downloaded fragments, collected basic system information, and extracted the results through an auto-submit HTML form.
“This campaign shows that simplicity can be powerful,” the researchers explained. “The attacker uses very basic tools (batch files, small VBS launchers, and simple HTML), but organizes them carefully to maximize stealth: moving operations to hidden or off-screen browser sessions, cleaning artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services.”
The group behind Operation MacroMaze, APT28, has been actively involved in Russia’s “Special Military Operation,” attacking Ukrainian infrastructure and its allies, while taking the war against Ukraine into cyberspace.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
