Post

Batavia Spyware Targets Russian Industrial Enterprises: New Cyber Threat Unveiled

Batavia Spyware Targets Russian Industrial Enterprises: New Cyber Threat Unveiled

TL;DR

Since March 2025, a sophisticated phishing campaign has targeted Russian organizations using Batavia spyware. The attack uses fake contract emails containing malicious links to spread the malware, which is designed to steal internal documents. The campaign has affected over 100 users across several dozen organizations, highlighting the importance of employee training and cybersecurity awareness.

Introduction

Since March 2025, a targeted phishing campaign has been spreading Batavia spyware through fake contract-themed emails, aimed at Russian industrial enterprises. This campaign, which began in July 2024, leverages malicious .vbe files disguised as legitimate contracts or attachments. The malware includes a VBA script and two executables, identified by Kaspersky as Trojan.Batavia variants.

Attack Mechanism

The attack initiates with phishing emails containing malicious links, sent under the pretext of signing a contract. According to a report published by Kaspersky:

“Since early March 2025, our systems have recorded an increase in detections of similar files with names like договор-2025-5.vbe, приложение.vbe, and dogovor.vbe (translation: contract, attachment) among employees at various Russian organizations. The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract.”

Batavia spyware

Initial Infection

Clicking the link in the phishing email downloads a VBE script that collects system information and retrieves a malware file (WebView.exe) from the attacker’s domain. The script checks the OS version to decide how to execute the payload and sends data to the command-and-control (C2) server. The attack uses tailored parameters per email to manage infection stages and evade detection.

Second Stage

In the second stage, the WebView.exe malware, written in Delphi, downloads and displays a fake contract. It then begins spying on the infected system, collecting system logs, office documents, and periodically capturing screenshots, sending them to a new C2 server. To avoid duplicate uploads, it hashes each file. Additionally, it downloads a new malware stage (javav.exe) and sets a startup shortcut to launch it on reboot, continuing the infection cycle.

Final Stage

In the final stage, the javav.exe malware, written in C++, expands its target to include more file types such as images, emails, presentations, and archives. It exfiltrates these files to a C2 server using an updated infection ID (e.g., 2hc1-...). The malware can change its C2 address and download/execute new payloads (e.g., windowsmsg.exe) using a UAC bypass via computerdefaults.exe. Communication with the C2 is encrypted, and the malware continues to avoid duplicate uploads by hashing files. This stage introduces flexibility and persistence to facilitate further malicious activity.

Impact and Recommendations

The Batavia spyware campaign has primarily targeted Russian industrial enterprises. Kaspersky’s telemetry data shows that more than 100 users across several dozen organizations received the phishing messages.

“It’s also worth noting that the initial infection vector in this campaign is bait emails. This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices.”

Conclusion

The Batavia spyware campaign underscores the need for vigilance and proactive cybersecurity measures. Regular employee training and awareness programs are crucial in mitigating the risks associated with such targeted attacks. As the threat landscape continues to evolve, organizations must stay informed and prepared to defend against sophisticated cyber threats.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Batavia spyware)

For more details, visit the full article: source

Additional Resources

For further insights, check:

This post is licensed under CC BY 4.0 by the author.