European Entities 2025-2026 APT28 Webhook Malware Campaign

Russia-linked APT28 conducted Operation MacroMaze, a targeted campaign against select government and organizational entities across Western and Central Europe from September 2025 through January 2026. The operation employed webhook-based macro malware delivered via malicious documents, leveraging legitimate services for command-and-control infrastructure and data exfiltration. The campaign specifically targeted European entities with strategic intelligence collection objectives.

The attack chain began with initial access through malicious macro-enabled documents, which deployed webhook-based malware designed for covert data collection. The malware utilized simple tools and legitimate webhook services to establish communication channels with attacker-controlled infrastructure, enabling persistent access and data exfiltration. APT28, a Russian state-sponsored threat group also known as Fancy Bear and STRONTIUM, executed this campaign using established tradecraft for intelligence gathering operations against European targets.

Security researchers publicly disclosed the campaign in February 2026, providing technical analysis of the malware's webhook-based communication mechanisms and infrastructure patterns. The disclosure included indicators of compromise and detection guidance for organizations operating in the affected regions to identify potential infections from this specific campaign.