Ethical Hacking News
A sophisticated spyware campaign known as 'Batavia' has been targeting dozens of Russian industrial enterprises using a phishing email campaign. Researchers at Kaspersky say the operation began in July last year and increased in intensity towards the end of February 2025, with an average of 15% of victims per month being targeted.
The Batavia spyware campaign is targeting dozens of large industrial enterprises in Russia, with increased intensity since January 2025. The campaign begins with an email that embeds a link disguised as a contract attachment, which downloads a malicious Visual Basic Encoded script (.VBE) file. The malware profiles the host system and sends details to the attacker’s command and control server (C2), followed by a Delphi-based malware that collects system logs and documents. A C++ data stealer (javav.exe) is downloaded, which collects additional file types, including images, presentations, emails, and archives. A fourth payload, 'windowsmsg.exe,' may be used for the next stage of the attack, but its details are unknown due to technical limitations. The targets are Russian organizations with large industrial enterprises, likely aimed at espionage on Russia's industrial activity. The campaign showcases modern threat actors' adaptability and use of legitimate email services to deliver malware.
A new player has entered the espionage game, and its name is Batavia – a sophisticated spyware campaign that has been targeting dozens of large industrial enterprises in Russia. The operation, which began at least last year in July, has been ongoing with increased intensity since January 2025, peaking towards the end of February.
According to researchers at Kaspersky, the attacks begin with an email that embeds a link disguised as a contract attachment. Clicking it downloads an archive that contains a malicious Visual Basic Encoded script (.VBE) file. When executed, this script profiles the host system and sends the details to the attacker’s command and control server (C2). The next stage is then downloaded from oblast-ru[.]com.
The second stage of the Batavia attack chain is a Delphi-based malware that displays a fake contract to the victim for diversion while collecting system logs, documents, and capturing screenshots in the background. This malware uses a hash of the first 40,000 bytes of each file to avoid redundant uploads and then fetches the third-stage payload.
The third stage, which Kaspersky refers to as 'javav.exe,' is a C++ data stealer that collects additional file types, including images, presentations, emails, archives, spreadsheets, TXTs, and RTFs. This final payload expands the data collection even more, making it one of the most comprehensive spyware operations in recent years.
Researchers at Kaspersky say they believe there is likely a fourth payload, named 'windowsmsg.exe,' which might be used for the next stage of the attack. However, due to technical limitations, they were unable to retrieve this final piece of the puzzle.
The targets of this campaign are Russian organizations with large industrial enterprises. While researchers have not speculated about the purpose of this campaign, it is likely that the attackers aimed at espionage on Russia's industrial activity.
The sophistication and scale of this operation can be attributed to its use of legitimate email services to deliver malware and create a convincing cover story. It also showcases the increasing adaptability of modern threat actors.
In light of this report, we are reminded that cyber threats continue to evolve with time, making it essential for organizations to stay vigilant and implement robust security measures to protect themselves from such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Batavia-Spyware-Campaign-A-Sophisticated-Espionage-Operation-Targeting-Russian-Industrial-Enterprises-ehn.shtml
https://www.bleepingcomputer.com/news/security/batavia-windows-spyware-campaign-targets-dozens-of-russian-orgs/
Published: Mon Jul 7 13:01:44 2025 by llama3.2 3B Q4_K_M
