{
  "name": "Operation MacroMaze: New APT28 Campaign Using Basic Tooling and Legitimate Infrastructure",
  "slug": "operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legitimate-infrastructure",
  "description": "Operation MacroMaze, attributed to APT28 (Fancy Bear), targets entities in Western and Central Europe from September 2025 to January 2026. The campaign utilizes basic tools and legitimate services for infrastructure and data exfiltration. Multiple documents with varying macro variants act as droppers, establishing a foothold by creating files in the %USERPROFILE% folder. The attack chain involves VBScript execution, scheduled task creation for persistence, and a multi-stage process using batch files. Exfiltration is achieved through HTML-based techniques, leveraging webhook.site for data transmission. Despite its simplicity, the campaign demonstrates effective operational tradeoffs, making detection and attribution challenging.",
  "published": "2026-02-16T13:28:58+00:00",
  "created_at": "2026-02-16T13:28:58+00:00",
  "modified_at": "2026-02-17T15:08:24+00:00",
  "created_at_opencti": "2026-02-16T13:28:58+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-02-16",
    "batch files",
    "droppers",
    "exfiltration",
    "fancy bear",
    "html",
    "macros",
    "operation macromaze",
    "persistence",
    "vbscript",
    "webhook"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "df60fa6008b1a0b79c394b42d3ada6bab18b798f3c2ca1530a3e0cb4fbbbe9f6"
      },
      {
        "id": "",
        "name": "9097d9cf5e6659e869bf2edf766741b687e3d8570036d853c0ca59ae72f9e9fc"
      },
      {
        "id": "",
        "name": "58cfb8b9fee1caa94813c259901dc1baa96bae7d30d79b79a7d441d0ee4e577e"
      },
      {
        "id": "",
        "name": "5486107244ecaa3a0824895fa432827cc12df69620ca94aaa4ad75f39ac79588"
      },
      {
        "id": "",
        "name": "c3b617e0c6b8f01cf628a2b3db40e8d06ef20a3c71365ccc1799787119246010"
      },
      {
        "id": "",
        "name": "ed8f20bbab18b39a67e4db9a03090e5af8dc8ec24fe1ddf3521b3f340a8318c1"
      },
      {
        "id": "",
        "name": "b0f9f0a34ccab1337fbcca24b4f894de8d6d3a6f5db2e0463e2320215e4262e4"
      }
    ],
    "intrusion_sets": [
      {
        "id": "2e5c75e1-c481-46c4-8d26-f0774a3457fa",
        "name": "APT28",
        "slug": "apt28"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "16e4fc82-7c0b-4d1a-b784-b804b4df26dc",
        "name": "T1204.001"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "dc17cbbd-40d8-43cf-b3cf-50d1276db2c7",
        "name": "T1016"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "e8422fc8-8365-4a6a-a556-d6ec16cb4e5d",
        "name": "T1574.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Spain"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure",
    "https://otx.alienvault.com/pulse/699329aa6d09f10e6d85a92b"
  ]
}