A Russian state-sponsored hacking group has conducted a new cyber espionage campaign targeting specific organizations in Western and Central Europe. The operation, active between September 2025 and January 2026, utilized malware hidden within common office documents to steal information.
The threat actor, tracked by cybersecurity researchers as APT28, was linked to the campaign by the LAB52 threat intelligence team of Spanish firm S2 Grupo. The activity has been codenamed Operation MacroMaze.
Campaign Mechanics and Tools
The campaign relied on basic tooling and the exploitation of legitimate services, according to the researchers. Attackers used malicious Microsoft Office documents, typically delivered via phishing emails, to deploy malware. These documents contained embedded macros, which are sequences of automated commands.
When a user enabled macros, the malware was executed. Its primary function was to establish a connection to a command and control server operated by the attackers. This connection used webhooks, which are automated messages sent from apps when a specific event occurs. By leveraging legitimate webhook services, the attackers could blend their malicious traffic with normal internet activity, making detection more difficult.
Attribution and Historical Context
APT28, also known as Fancy Bear, Sofacy, and Sednit, is a cyber espionage unit widely attributed to Russia’s military intelligence agency, the GRU. The group has a long history of targeting governments, militaries, and political organizations worldwide, often with the goal of intelligence gathering.
Their tactics frequently involve spear-phishing campaigns and the use of malware designed to remain stealthy on infected systems. Operation MacroMaze represents a continuation of this pattern, focusing on entities within Europe for intelligence collection purposes.
Implications for Cybersecurity
This campaign highlights the ongoing threat posed by well-resourced, nation-state actors to European security and economic interests. The use of simple macros and abused legitimate services demonstrates that sophisticated attackers do not always require complex, custom malware to achieve their objectives.
Security experts note that such techniques can bypass traditional security filters that might only block known malicious files or domains. The operation underscores the importance of user awareness regarding the dangers of enabling macros in unsolicited documents and the need for advanced threat detection that can identify anomalous network behavior, even when it originates from trusted platforms.
Based on the established patterns of APT28, cybersecurity firms and government agencies in the affected regions are likely to continue their investigations. Further technical indicators of compromise, or IOCs, from Operation MacroMaze are expected to be shared with the wider security community to help other organizations defend against similar attacks. National cybersecurity authorities may issue updated advisories to critical infrastructure and government bodies, reinforcing guidance on macro security settings and email vigilance.
Source: S2 Grupo LAB52
