Operation MacroMaze: New APT28 Campaign Using Basic Tooling and Legitimate Infrastructure
Essential information
- Published
- 16/02/2026 14:28
- Modified
- 17/02/2026 16:08
- Tags
- 2026-02-16 batch files droppers exfiltration fancy bear html macros operation macromaze persistence vbscript webhook
- Related entities
- 7 observables, 1 intrusion sets (apt), 16 techniques (mitre), 2 others
Description
Operation MacroMaze, attributed to APT28 (Fancy Bear), targets entities in Western and Central Europe from September 2025 to January 2026. The campaign utilizes basic tools and legitimate services for infrastructure and data exfiltration. Multiple documents with varying macro variants act as droppers, establishing a foothold by creating files in the %USERPROFILE% folder. The attack chain involves VBScript execution, scheduled task creation for persistence, and a multi-stage process using batch files. Exfiltration is achieved through HTML-based techniques, leveraging webhook.site for data transmission. Despite its simplicity, the campaign demonstrates effective operational tradeoffs, making detection and attribution challenging.