Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

APT28 Operation MacroMaze campaign targeting Western and Central Europe

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

APT28 was attributed to Operation MacroMaze, a spear-phishing campaign against entities in Western and Central Europe that used basic tooling and webhook[.]site infrastructure to deliver payloads and exfiltrate data. The activity matters because it shows a sustained, multi-step intrusion operation that combined lure documents, macro execution, and browser-based collection of command output across September 2025 to January 2026.

Related Happenings

APT28 wellnesscaremed[.]com multistage LNK campaign

Campaign
First: 02.03.2026 12:36 Last: 02.03.2026 12:36 Sources 1

About this happening: An **APT28**-linked **LNK/HTML delivery chain** is being used for **multistage payloads**, indicating an ongoing phishing-style operation that can broaden exploitation paths. The...

Open Happening

Webhook-based macro malware chain

Malware Activity
First: 23.02.2026 21:41 Last: 23.02.2026 21:41 Sources 1

How related: LAB52 said it identified multiple documents with slightly tweaked macros between late September 2025 and January 2026, all of which function as a dropper to establish a foothold on the compromised host and deliver additional payloads.

About this happening: A **macro malware chain** used **spear-phishing lure documents** to establish footholds on compromised hosts and **exfiltrate output via webhook[.]site**, increasing stealthy post...

Open Happening

Lazarus Group graphalgo recruitment-themed package campaign

Campaign
First: 12.02.2026 18:55 Last: 12.02.2026 18:55 Sources 1

About this happening: The **North Korea-linked Lazarus Group** is running **graphalgo**, an active fake recruitment-themed package campaign that is targeting **developers** through **npm** and **PyPI**...

Open Happening

ClawHavoc malicious skills campaign targeting OpenClaw users via ClawHub

Campaign
First: 02.02.2026 19:49 Last: 02.02.2026 19:49 Sources 1

About this happening: The **ClawHavoc** campaign continues to abuse **ClawHub** and the **OpenClaw** ecosystem to distribute **infostealer malware** through malicious skills. New reporting says the ope...

Open Happening

Timeline

  1. 23.02.2026 21:41 2 articles · 3mo ago

    APT28 Operation MacroMaze campaign disclosed

    Initial Disclosure

    APT28 was attributed to Operation MacroMaze, a spear-phishing campaign targeting specific entities in Western and Central Europe that used lure documents with an INCLUDEPICTURE field, VBScript/CMD/batch launchers, Microsoft Edge, and webhook[.]site infrastructure for command retrieval and data exfiltration. LAB52 said the activity was active between September 2025 and January 2026, and that the macros evolved from headless browser execution to keyboard simulation and off-screen browser use.

    Show sources
    Open in new tab