Operation MacroMaze is a targeted cyber espionage campaign attributed to the Russian state-sponsored threat actor APT28, also known as Fancy Bear. Active from September 2025 through January 2026, it focuses on entities in Western and Central Europe, with confirmed targeting of Spain. The campaign employs relatively simple but effective attack methods, leveraging Microsoft Office documents embedded with various macro variants as droppers. These macros create files within the %USERPROFILE% folder to establish an initial foothold. The infection chain proceeds with VBScript execution and the creation of scheduled tasks (MITRE ATT&CK technique T1053.005) to maintain persistence on compromised systems. A multi-stage process involving batch files is used to execute additional payloads and maintain control. For data exfiltration, the attackers use HTML-based techniques that send stolen information to webhook.site, a legitimate web service, thereby blending malicious traffic with normal network activity and complicating detection. The campaign uses basic tooling and legitimate infrastructure, which reduces the attack footprint and hinders attribution efforts. The use of common scripting languages (VBScript, batch files) and standard Windows features (scheduled tasks, user profile directories) demonstrates an operational tradeoff favoring stealth and simplicity over complexity. Indicators of compromise include multiple file hashes associated with the droppers and scripts. The campaign’s tactics, techniques, and procedures (TTPs) align with known APT28 behaviors, including persistence, credential access, and command execution techniques. No known exploits or CVEs are associated with this campaign, and it does not rely on zero-day vulnerabilities, instead exploiting user interaction via malicious macros. The campaign’s medium severity reflects its moderate impact potential and reliance on social engineering and basic scripting rather than advanced exploits.

For European organizations, especially those in Spain and neighboring Western and Central European countries, Operation MacroMaze poses a significant espionage risk. The campaign’s ability to establish persistence and exfiltrate data using legitimate infrastructure makes it difficult to detect and mitigate. Confidentiality is primarily at risk, as sensitive information can be stolen via covert exfiltration channels. Integrity and availability impacts are less pronounced but could occur if attackers escalate privileges or deploy additional payloads. The use of basic tooling means that even organizations with mature security postures could be vulnerable if macro execution policies and endpoint monitoring are insufficient. The campaign could affect government agencies, defense contractors, critical infrastructure, and private sector companies holding strategic or sensitive data. The stealthy nature of the campaign increases the likelihood of prolonged undetected presence, enabling extensive data collection and potential follow-on attacks. The use of legitimate services for exfiltration also complicates network-based detection and response efforts, increasing operational risk for targeted organizations.

1. Enforce strict macro security policies by disabling macros by default and only allowing macros from trusted, signed sources. 2. Implement application whitelisting to prevent unauthorized execution of VBScript and batch files, especially those launched from user profile directories. 3. Monitor and audit scheduled tasks creation and modifications (T1053.005), alerting on unusual or unauthorized tasks. 4. Deploy endpoint detection and response (EDR) solutions capable of detecting script-based attacks and anomalous file creation in user directories. 5. Inspect outbound network traffic for connections to uncommon or suspicious web services such as webhook.site, and apply network segmentation to limit data exfiltration paths. 6. Conduct user awareness training focused on the risks of enabling macros in unsolicited documents. 7. Regularly update and patch systems to reduce the attack surface, even though this campaign does not exploit known vulnerabilities. 8. Use threat intelligence feeds to block known malicious file hashes and indicators associated with Operation MacroMaze. 9. Employ behavioral analytics to detect multi-stage attack chains involving scripting and persistence mechanisms. 10. Establish incident response plans that include rapid containment and forensic analysis of script-based intrusions.