Russia's Military Hackers Spied on European Officials Using Free Webhook Services

Operation MacroMaze

Between September 2025 and January 2026, Russia's APT28, the military intelligence hacking group also known as Fancy Bear, conducted a targeted espionage campaign against specific entities in Western and Central Europe. Spanish threat intelligence firm S2 Grupo's LAB52 team documented the operation and named it MacroMaze.

The campaign's most notable feature was not its sophistication. It was its simplicity. APT28 used weaponized Word documents with VBScript macros, batch files, and free webhook services to deliver payloads and exfiltrate data. No custom malware. No zero day exploits. Just basic tools arranged strategically for stealth.

How the Attack Worked

The attack began with spear phishing emails containing lure documents designed to look like legitimate government correspondence. One documented lure impersonated Spain's Ministry of the Presidency, Justice and Relations with the Courts, using a deliberately modified official resolution as bait.

Each document contained a hidden tracking mechanism: an XML field called INCLUDEPICTURE that pointed to a webhook.site URL hosting a JPG image. When the target opened the document, Word automatically fetched the image, sending an HTTP request to the webhook endpoint. This told APT28 exactly who opened the document, when they opened it, and from what IP address.

This is essentially the same technique as an email tracking pixel, but embedded in a Word document instead of an email. The target had no idea they were being tracked simply by opening a file.

Four Evolving Variants

LAB52 identified four distinct variants of the malicious macros, each showing advancing evasion techniques developed over the campaign's five month duration:

• Variant 1 (September 2025): Document cleanup routines and text color manipulation to hide macro activity
• Variant 2 (October 2025): Added fake Microsoft Word error messages to distract users
• Variant 3 (December 2025): Removed cleanup routines but retained the fake error messages
• Variant 4 (January 2026): Keyboard simulation via SendKeys commands to automatically dismiss security warnings

The final variant was the most dangerous. By simulating keyboard input, it could bypass the "Enable Content" security prompt that Microsoft Office displays when opening documents with macros. The user never had to click anything.

Hiding in Plain Sight

Once the macro executed, it dropped six files with randomly generated filenames to the user's profile directory and established persistence through Windows Scheduled Tasks that ran at intervals between 20 and 61 minutes. The payload used Microsoft Edge to render base64 encoded HTML pages that collected system information and exfiltrated it to webhook.site endpoints via automated form submissions.

One variant moved the Edge browser window completely off screen so the victim would never see it running. Another killed any competing Edge processes to ensure clean execution. The exfiltrated data included IP addresses, directory listings, and environment details, exactly the kind of reconnaissance information a state sponsored group needs before deciding whether a target is worth deeper exploitation.

Why Webhook Services Matter

The choice of webhook.site as infrastructure was deliberate. Webhook services are legitimate tools used by developers to test API integrations. Network security tools rarely flag traffic to these domains because they are not traditionally associated with malware. By routing both payload delivery and data exfiltration through a trusted service, APT28 made the traffic nearly invisible to standard network monitoring.

This approach also eliminates the need for APT28 to maintain their own command and control servers, which security researchers routinely discover and shut down. A free webhook service provides disposable, anonymous infrastructure that leaves minimal forensic evidence.

The Bigger Picture

Operation MacroMaze ran concurrently with a separate APT28 campaign that exploited a Microsoft Office vulnerability, CVE-2026-21509, to target European military and government entities across Poland, Slovenia, Turkey, Greece, the UAE, and Ukraine. Together, these campaigns demonstrate that Russia's military intelligence hackers are actively and aggressively targeting European institutions on multiple fronts.

For organizations in government, defense, and critical sectors, the lesson from MacroMaze is clear: the threat does not always come wrapped in sophisticated malware. Sometimes it arrives as a Word document that looks like an official government memo, tracks you when you open it, and quietly reports everything it finds back to Moscow using a free webhook service anyone can sign up for in thirty seconds.