A newly discovered Windows spyware campaign, called Batavia, is making waves in the cybersecurity community after being exposed by researchers at Kaspersky. The campaign, active since at least July 2024, has already targeted dozens of Russian organizations, primarily large industrial enterprises.
How the Attack Works
The Batavia campaign begins with carefully crafted phishing emails that masquerade as legitimate business correspondence, often involving contracts or agreements. When recipients click on the link, they are tricked into downloading an archive file containing a malicious .vbe script. That’s the initial stage of the spyware infection.
Infection Initiation
- A Visual Basic Script (VBE) profiles the victim’s system and connects to a command-and-control (C2) server at
oblast-ru[.]com. - This script serves as a downloader for additional malicious payloads.
Data Collection
- The second stage involves a Delphi-based executable named WebView.exe.
- This file displays a decoy document while silently collecting sensitive information such as:
- System logs
- Documents
- Screenshots
- The collected data is exfiltrated to another malicious domain,
ru-exchange[.]com. - A persistence mechanism is established through a Windows startup shortcut.
Full Espionage Mode
- The third-stage malware, javav.exe, is a sophisticated backdoor written in C++.
- It enables the attackers to:
- Exfiltrate additional files including documents, images, and email archives.
- Receive updated commands via XOR-encrypted communication.
- Deploy further malicious tools as needed.
Researchers also uncovered hints of a potential fourth stage involving an unknown executable, windowsmsg.exe, though its exact function remains unconfirmed.
Scale and Impact
Since the beginning of 2025, the Batavia campaign has accelerated, with infection peaks observed in late February. Kaspersky’s telemetry shows that over 100 users across multiple Russian organizations have been affected so far.
The attack demonstrates a high degree of sophistication and persistence, suggesting it could be part of a targeted espionage campaign rather than simple financial crime.
How to Stay Safe
Security experts recommend the following measures to defend against Batavia and similar threats:
- Employee Training: Regularly educate staff on phishing and email-based attacks.
- Endpoint Protection: Deploy advanced threat detection and response solutions.
- Patch Management: Ensure systems are up to date with the latest security patches.
- Network Monitoring: Look for unusual connections to suspicious domains like
oblast-ru[.]comandru-exchange[.]com.
Final Thoughts
The emergence of Batavia underscores the ongoing evolution of cyber threats targeting high-value organizations. With its multi-stage approach and data theft capabilities, Batavia serves as a reminder that vigilance, education, and robust cybersecurity defenses are more crucial than ever.
