Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure

LAB52 describes "Operation MacroMaze," an APT28-attributed spear-phishing campaign (Sep 2025–Jan 2026) that uses malicious Word documents with INCLUDEPICTURE tracking and macro droppers to write VBS/BAT/CMD/HTM artifacts, create scheduled tasks for persistence, and exfiltrate collected system information via auto-submitting HTML to webhook.site endpoints; multiple macro and batch variants and associated IOCs (file hashes and webhook URLs) are provided.