APT28 resurfaces with macro-based spear-phishing campaign

Russian state-linked hackers are using carefully structured phishing techniques to target diplomatic and enterprise entities across Europe.

What happened

The Russian-linked group APT28, also known as Fancy Bear or Sofacy, has launched a new spear-phishing campaign called “Operation MacroMaze” targeting selected organizations in Western and Central Europe. According to TechRadar, the activity has been ongoing since at least September 2025. The attacks begin with highly personalized emails referencing diplomatic themes, sometimes including altered versions of real diplomatic agendas, and contain macro-enabled Microsoft Word documents. Macros are small built-in scripts that automate tasks, however they can run malicious code if enabled. Although Microsoft blocks macros from internet-downloaded files by default, the documents are crafted to convince recipients to manually enable them. Once activated, the infection chain launches lightweight scripts and hidden HTML components that gather system information and send stolen data back to the attackers through web-based submission channels.

Going deeper

Operation MacroMaze does not rely on highly intricate malware frameworks. Instead, the attack uses simple tools such as batch files, small Visual Basic Script launchers, and HTML templates. A malicious macro starts a staged process that rebuilds a command payload from smaller downloaded pieces rather than delivering one large executable, which lowers detection risk because each part looks less suspicious on its own. Persistence is maintained through basic system changes, and stolen data is sent out through auto-submitting HTML forms that blend into normal web traffic. The approach shows that effective intrusion campaigns do not always require zero-day exploits or sophisticated encryption routines. Careful orchestration of simple tools can achieve stealth and long-term access.

What was said

In its February 2026 coverage of Operation MacroMaze, TechRadar reported on findings from Lab52, quoting researchers who stated, “This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services.” The analysis explains that the attackers relied on simple scripting tools and common web services, and structured the attack carefully to avoid detection and reduce visible traces on infected systems.

In the know

An HHS advisory warns that Russian state-sponsored threat actors, including APT28, have been “targeting the HPH sector,” referring to the Healthcare and Public Health sector. The alert details activity involving credential harvesting, spearphishing, and exploitation of publicly exposed services to gain initial access to healthcare networks. Federal officials caution that these campaigns form part of broader intelligence-gathering and disruptive efforts, urging healthcare organizations to strengthen phishing defenses, patch internet-facing systems, and closely monitor authentication activity.

The big picture

APT28 has been publicly attributed by Western governments to Russia’s military intelligence service, the GRU, and has been linked to long-running cyber operations across Europe and North America. In 2018, the U.S. Department of Justice unsealed an indictment charging GRU officers with computer intrusions and election interference tied to APT28, stating the officers “engaged in a persistent hacking campaign that included the theft and dissemination of documents.” Ongoing activity, including Operation MacroMaze, shows how state-linked groups continue targeting diplomatic and business organizations using phishing emails with document-based scripts. For European organizations, the continued use of macro-enabled attachments reinforces that email-borne documents remain an active security risk, not an outdated threat.

FAQs

What is APT28?

APT28, also known as Fancy Bear, is a threat group widely attributed by Western governments to Russia’s military intelligence service and linked to espionage and influence operations.

Why are macros still effective despite being disabled by default?

Attackers rely on social engineering to persuade users to manually enable macros, often by embedding instructions inside the document itself that claim the file will not display correctly otherwise.

What makes this campaign different from typical malware attacks?

Instead of deploying a single large malware file, the campaign distributes small script components that assemble functionality in stages, reducing detection likelihood.

Why are diplomatic themes used in spear-phishing?

Spear-phishing relies on contextual credibility. Diplomatic agendas and official-looking documents increase the chance that recipients perceive the attachment as legitimate and urgent.

How can organizations reduce the risk from macro-based attacks?

Organizations can enforce group policies that block macros from internet-origin files, implement advanced email filtering with attachment detonation, monitor script execution behavior, and train users to verify unexpected document requests.