A persistent and highly targeted spear-phishing campaign has been menacing Russian industrial organizations with a newly identified strain of spyware known as Batavia.
Security researchers, including those at Kaspersky, have tracked a significant uptick in attacks since early March 2025.
These incidents typically begin when employees receive convincing emails purportedly from business partners urging them to review or sign attached “contracts” or “attachments.”
The supposed document, however, is a link to a malicious payload cleverly disguised under familiar Russian filenames such as “договор-2025-5.vbe,” “приложение.vbe,” and “dogovor.vbe.”
The attack sequence triggers when a user clicks the embedded link, which leads to the download of an archive containing an encrypted Visual Basic Script (VBS).
This script, upon execution, acts as a first-stage downloader, reaching out to the attackers’ command-and-control (C2) domain to fetch a tailored set of parameters.
These include instructions for targeting specific Windows OS versions and serve as triggers for subsequent malware downloads.
Notably, the campaign utilizes unique file identifiers in each phishing email to track infection chains and tailor payloads.
Exfiltration Capabilities
Once the VBS script establishes the beachhead, it retrieves and executes “WebView.exe,” a Delphi-based executable hidden within the archive.
The malicious application masquerades as a contract viewer but works silently in the background to harvest system data, list installed software, and scan for sensitive documents on both local and removable drives.
Office documents, system logs, and other valuable files are covertly exfiltrated to a second C2 domain, “ru-exchange[.]com.”
To optimize data theft and avoid redundancy, Batavia uses file hashing to prevent uploading duplicate files.
The infection escalates with the deployment of a second payload “javav.exe,” this time written in C++.
This advanced module possesses expanded capabilities, extending data theft to emails, presentations, images, and compressed archives.
The malware communicates regularly with its C2 to receive updates, new malware components, and command-line instructions.
It also leverages a UAC (User Account Control) bypass technique to escalate privileges and execute additional payloads potentially opening the door to further lateral movement or secondary infections.
Widespread Impact
According to telemetry analyzed by Kaspersky Report, more than 100 users across dozens of Russian organizations have encountered these attacks, with infection attempts peaking between August 2024 and June 2025.
The Batavia campaign is ongoing and represents a significant threat to sensitive corporate assets and industrial intellectual property.
Experts stress the critical importance of layered security measures incorporating advanced threat detection, rapid incident response, and, crucially, comprehensive employee cybersecurity training.
As phishing remains the primary attack vector in this campaign, raising awareness and resilience through continuous education is paramount.
Organizations are advised to leverage automated security awareness platforms and next-generation endpoint protection to mitigate the risk of similar sophisticated cyber threats.
Indicators of Compromise (IOC)
| Component/File | Hash (MD5) | C2 Domain |
|---|---|---|
| Договор-2025-2.vbe | 2963FB4980127ADB7E045A0F743EAD05 | oblast-ru[.]com |
| webview.exe | 5CFA142D1B912F31C9F761DDEFB3C288 | oblast-ru[.]com |
| javav.exe | 03B728A6F6AAB25A65F189857580E0BD | ru-exchange[.]com |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
