Webhook-based macro malware chain
Malware Activity
Summary
Hide ▲
Show ▼
A macro malware chain used spear-phishing lure documents to establish footholds on compromised hosts and exfiltrate output via webhook[.]site, increasing stealthy post-compromise risk. The activity ran from late September 2025 to January 2026 and used INCLUDEPICTURE beacons to confirm document opens before launching VBScript, CMD, and batch scripts. The chain also used Microsoft Edge in hidden or off-screen mode to retrieve commands, capture output, and send it out as HTML.
Related Happenings
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
APT28 Operation MacroMaze campaign targeting Western and Central Europe
Campaign
First: 23.02.2026 21:41
Last: 23.02.2026 21:41
Sources 1
How related:
The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe.
About this happening:
**APT28** was attributed to **Operation MacroMaze**, a **spear-phishing** campaign against entities in **Western and Central Europe** that used **basic tooling** and **webhook[.]s...
APT28 Operation MacroMaze campaign targeting Western and Central Europe
CampaignHow related: The Russia-linked state-sponsored threat actor tracked as APT28 has been attributed to a new campaign targeting specific entities in Western and Central Europe.
About this happening: **APT28** was attributed to **Operation MacroMaze**, a **spear-phishing** campaign against entities in **Western and Central Europe** that used **basic tooling** and **webhook[.]s...
KongTuke / CrashFix campaign uses a malicious Chrome extension and ClickFix-style lures
Campaign
First: 19.01.2026 11:09
Last: 19.01.2026 11:09
Sources 1
About this happening:
An **ongoing KongTuke / CrashFix campaign** is using a **malicious Google Chrome extension** and **ClickFix-like lures** to push victims into running commands that deploy **Modelo...
KongTuke / CrashFix campaign uses a malicious Chrome extension and ClickFix-style lures
CampaignAbout this happening: An **ongoing KongTuke / CrashFix campaign** is using a **malicious Google Chrome extension** and **ClickFix-like lures** to push victims into running commands that deploy **Modelo...
Timeline
-
23.02.2026 21:41 2 articles · 3mo ago
APT28 attributed to Operation MacroMaze
Technical Analysis UpdateAPT28 was attributed to Operation MacroMaze, a spear-phishing campaign against entities in Western and Central Europe that used lure documents with an INCLUDEPICTURE field pointing to webhook[.]site, VBScript/CMD/batch launchers, and Microsoft Edge in headless or off-screen mode to establish footholds, run scheduled tasks, retrieve commands, and exfiltrate command output as HTML.
Show sources
- APT28 Targeted European Entities Using Webhook-Based Macro Malware — thehackernews.com — 23.02.2026 21:41
- APT28 Targeted European Entities Using Webhook-Based Macro Malware — thehackernews.com — 23.02.2026 21:41