New Batavia Spyware Targets Russian Industrial Enterprises

Since March 2025, a targeted phishing campaign has been spreading the new Batavia spyware in attacks against Russian industrial enterprises. The attack uses fake contract-themed emails to lure victims into downloading malicious files, which then steal internal documents.

The attack begins with links to malicious .vbe files disguised as contracts or attachments. Once clicked, these links download a VBA script that collects system information and retrieves a malware file from the attacker's domain. The script checks the OS version to decide how to execute the payload and sends data to the command-and-control (C2) server.

According to Russian cybersecurity firm Kaspersky, the targeted attack starts with bait emails sent under the pretext of signing a contract. However, these emails are actually malicious links that can spread the Batavia spyware. The script checks the OS version to decide how to execute the payload and sends data to the C2 server.

The attack uses tailored parameters per email to manage infection stages and evade detection. In the second stage of the attack chain, the WebView.exe malware downloads and displays a fake contract, then begins spying on the infected system. It collects system logs, office documents, and periodically captures screenshots, sending them to a new C2 server.

To avoid duplicate uploads, it hashes each file. It also downloads a new malware stage (javav.exe) and sets a startup shortcut to launch it on reboot, continuing the infection cycle. In the last stage of the attack chain, the malware javav.exe expands on previous stages by targeting more file types (e.g., images, emails, presentations, archives) and exfiltrating them to a C2 server using an updated infection ID.

According to Kaspersky, this stage introduces flexibility and persistence to facilitate further malicious activity. The researchers noticed that the victims of the Batavia spyware campaign were Russian industrial enterprises. Kaspersky's telemetry data shows that more than 100 users across several dozen organizations received the phishing messages.

Importance of Employee Training

"It's also worth noting that the initial infection vector in this campaign is bait emails," says a report published by Kaspersky. "This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices."

The Batavia Spyware Campaign

Here are the details of the Batavia spyware campaign:

* Attack vector: Phishing email with malicious links * Payload: VBA script, WebView.exe malware, javav.exe malware * Command-and-Control (C2) server communication: Encrypted * Data exfiltration: System logs, office documents, screenshots, images, emails, presentations, archives * Persistence: Using startup shortcut to launch on reboot

Stay informed about the latest cyber threats by following me on Twitter: @securityaffairs and Facebook and Mastodon