Multiple documents associated with this activity have been detected, featuring macros that differ slightly. One of these documents specifically<\/strong> used for spear-phishing was detected employing as a lure an alleged agenda issued on September 18, 2025, by the Ministry of the Presidency, Justice and Relations with the Courts<\/strong> of Spain<\/strong>. It’s a deliberately crafted and modified document that reproduces content from the agenda resolutions published<\/a> on the official La Moncloa website on September 23, 2025.<\/p>\n\n\n All analyzed documents share a common structural element within their XML: an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site.<\/p>\n\n\n This field is embedded in the document\u2019s XML (w:instrText) and instructs Microsoft Word to retrieve an external image resource when the field is evaluated. The referenced file (docopened.jpg) is fetched from the remote server when the document is opened and fields are updated. This behavior functions as a tracking mechanism: when the document is opened and Word processes the INCLUDEPICTURE field, an outbound HTTP request is generated to the remote server. The server operator can then log metadata associated with the request, effectively confirming that the document has been opened.<\/p>\n\n\n\n Multiple documents with four sightly different macro variants have been identified. All macros are designed to work as “droppers”. Their objective is to establish a foothold on the victim’s machine by dropping six files, including the scripting (VBS, BAT and CMD) and HTML wrapped ones used for exfiltration (HTM and XHTML) into the %USERPROFILE% folder with filenames containing GUID-like names.<\/p>\n\n\n The GUID used for the names will match the extension of the webhook[.]site path used as Command and Control (C2) server. All the variants use heavy string concatenation (e.g., breaking “WScript.Shell” into multiple substrings like “WScri” and “pt.shell”) to assemble the files.<\/p>\n\n\n Once the files are created, the macro runs one of the VBScript files to initiate the next stage.<\/p>\n\n\n While the core logic of all the macros detected remains consistent, the scripts show an evolution in evasion techniques, ranging from “headless” browser execution in the older version to the use of keyboard simulation (SendKeys) in the newer versions to potentially bypass security prompts.<\/p>\n\n\n\n The earliest variant of the macro used, identified in late September 2025, is associated with the government-themed decoy document<\/strong> and is characterized by its final behavior: it iterates through the document to remove all ContentControls and changes the text color to black.<\/p>\n\n\n This newer variant, detected in October, 2025, adds a fake Microsoft Word error message<\/strong> designed to lure the victim into believing that the document is corrupted or has opening issues.<\/p>\n\n\n This variant, detected in December 2025, removes the specific document cleanup routines <\/strong>present in the earlier versions, but keeps displaying the fake Microsoft Word error message.<\/p>\n\n\n The newest variant, detected in January, 2026, appears to be a slightly more evolved, as it incorporates user interface manipulation<\/strong>. Before triggering a fake error message and file dropping routine, it executes SendKeys “{DOWN}”, and later SendKeys “{Enter}” and SendKeys “{UP}” at the end of the script. These commands simulate physical keyboard presses, a technique often used to dismiss “Enable Content” security warnings automatically.<\/strong> The structural similarities suggest that it is a direct iteration of the previous version, simply adding the keystroke obfuscation to increase the success rate of infection.<\/p>\n\n\n When the VBScript is launched, it activates the CMD file that ultimately trigger the execution of the remaining scripts in sequence.<\/p>\n\n\n The script establishes persistence by dynamically generating a Windows Scheduled Task using a task definition written to disk at runtime. The CMD component constructs the task\u2019s XML definition via output redirection, configuring the task to execute a VBScript located in the user\u2019s profile directory while passing a batch file as its execution argument. The scheduled task is configured with a repeating time-based trigger, causing the payload to execute periodically. In the first observed variant, the task is set to run every 30 minutes, while the second variant reduces the execution interval to 20 minutes. In the third and fourth variants, the repetition interval is increased to 61 minutes.<\/p>\n\n\n\n Once the XML file is complete, it is imported using “schtasks” to register the task with non-interactive execution settings. Immediately after task creation, the script deletes the XML file, the first VBScript used and itself from disk.<\/p>\n\n\n The VBScript used during the XML creation process consists of a wrapper that executes the file passed as an argument in a hidden window. It leverages “WScript.Shell.Run” with error suppression enabled to silently launch the supplied command without displaying any user interface.<\/p>\n\n\n As observed in the first stage, where multiple macro variants were identified, this artifact also presents more than one implementation. Specifically, two distinct batch file variants have been detected. The first batch script is associated with the first and second variants, while the second batch script is linked to the third and fourth ones. Despite sharing a common multi-stage execution pattern, both batches exhibit operational differences.<\/p>\n\n\n\n Both batch files follow the same high-level, multi-stage execution pattern. They begin by cleaning temporary download artifacts and then render a small Base64-encoded HTML payload in Microsoft Edge, which redirects the browser to a webhook[.]site endpoint used to download the fragments that will later be reconstructed into an intermediate CMD file. The scripts then assemble a randomly named CMD from the downloaded fragments in the user\u2019s Downloads directory, execute the reconstructed CMD while capturing its output, and merge that output with a the HTM and XHTML templates to generate a final HTML file containing the information intended for exfiltration to an another webhook[.]site instance. Finally, all generated artifacts are explicitly removed. In both cases, 20 seconds timeout delays are used to ensure browser-based rendering completes before execution continues.<\/p>\n\n\n\n This variant of the batch archive is primarily focused on stealth and low user impact<\/strong>. By relying on Microsoft Edge\u2019s headless mode and avoiding aggressive process termination, it minimizes visible artifacts and reduces the likelihood of user suspicion or disruption of legitimate browser activity.<\/p>\n\n\n\n This second variant is primarily focused on execution reliability and environmental control. <\/strong>Instead of true headless execution, it hides browser activity by moving the window off-screen and aggressively terminates all Edge processes before and after execution to ensure predictable behavior. The inclusion of certificate error suppression further indicates a focus on robustness and tolerance to network or configuration issues, even at the cost of being more intrusive and potentially noticeable to the user.<\/p>\n\n\n\n The final HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template.<\/p>\n\n\n The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, while the payload output is embedded directly within a element. The closing XHTML fragment completes the document structure. When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction. This browser-based exfiltration technique leverages standard HTML functionality to transmit data while minimizing detectable artifacts on disk.<\/p>\n\n\n\n The command file generated to collect system information during the analysis couldn’t be recovered. However, based on a previous campaign analyzed by CERT Polska<\/a> and the Computer Emergency Response Team of Ukraine<\/a> attributed APT28 and exhibiting a highly similar kill chain and overlapping TTPs<\/strong>, it is likely that this stage deploys a relatively simple information-gathering payload. In those related campaigns, the actor has been observed using lightweight scripts to collect basic host information, such as the system\u2019s IP address, selected directory listings, and other environment details, prior to exfiltration.<\/p>\n\n\n\n This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth: Moving operations into hidden or off-screen browser sessions, cleaning up artifacts, and outsourcing both payload delivery and data exfiltration to widely used webhook services. Because those webhook instances are typically ephemeral (they\u2019re created for short-lived tasks and are often discarded quickly), the operator appears to favour in this campaign brief and low-visibility intrusions over maintaining long-term implants. <\/p>\n\n\n\n The tooling may be unsophisticated, but the operational tradeoffs are effective. It\u2019s low-tech executed with high craft, which makes detection and attribution harder than the artifacts alone would suggest.<\/p>\n\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-1-1024x113.png\")
<\/figure><\/div>\n\n\nInitial Foothold<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-3.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-2-1024x221.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-4-1024x47.png\")
<\/figure><\/div>\n\n\nFirst variant<\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-5.png\")
<\/figure><\/div>\n\n\nSecond variant<\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-12-1024x285.png\")
<\/figure><\/div>\n\n\nThird variant<\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-6-1024x67.png\")
<\/figure><\/div>\n\n\nFourth variant<\/strong><\/h2>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-7-1024x124.png\")
<\/figure><\/div>\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-8-1024x212.png\")
<\/figure><\/div>\n\n\nExecution<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-9-1024x59.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-10-1024x237.png\")
<\/figure><\/div>\n\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-11.png\")
<\/figure><\/div>\n\n\nBath files similarities<\/strong><\/h2>\n\n\n\n
Batch files differences<\/strong><\/h2>\n\n\n\n
Batch 1<\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-13-1024x366.png\")
<\/figure><\/div>\n\n\nBatch 2<\/h3>\n\n\n\n
\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-14-1024x379.png\")
<\/figure><\/div>\n\n\nExfiltration<\/h1>\n\n\n\n
![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-15.png\")
<\/figure><\/div>\n\n![\"\"](\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2026\/02\/image-16.png\")
<\/figure><\/div>\n\n\nConclusion<\/h1>\n\n\n\n
Intelligence Availability Notice<\/h1>\n\n\n\n