Batavia Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

Batavia, an unidentified spyware, has been using a sophisticated phishing operation to target Russian industrial organizations since July 2024.

Kaspersky researchers have identified a sharp rise in detections since early March 2025, with over 100 users across dozens of organizations falling prey to bait emails disguised as contract agreements.

These emails, often containing file names like договор-2025-5.vbe or приложение.vbe (translating to “contract” or “attachment”), lure employees into downloading malicious scripts that initiate a multi-stage infection process.

The ultimate goal of Batavia is to exfiltrate sensitive internal documents and system data, posing a significant threat to organizational security.

A Sophisticated Multi-Stage Attack Campaign

The attack begins with phishing emails that trick recipients into clicking malicious links hosted on attacker-controlled domains like oblast-ru[.]com.

Upon clicking, users download an encrypted VBS script, such as Договор-2025-2.vbe, which acts as a downloader.

This script retrieves a set of 12 comma-separated parameters from a hardcoded URL to execute its malicious functions, including identifying the OS version and communicating with the attackers’ command-and-control (C2) server.

If the OS matches the attackers’ requirements (e.g., Windows 11), it downloads the next payload, WebView.exe, a Delphi-written executable.

This second-stage malware displays a fake contract to maintain the ruse while stealthily collecting system logs, office documents, and screenshots, which are then sent to another C2 domain, ru-exchange[.]com.

The infection escalates to a third stage with javav.exe, a C++-based executable that expands the scope of data theft to include additional file types like images, emails, and archives.

It also introduces new capabilities, such as dynamically changing C2 servers and executing additional payloads via a UAC bypass technique, further entrenching the attackers’ foothold in the victim’s system.

Evolving Threat

What makes Batavia particularly dangerous is its evolving nature and persistence mechanisms.

The spyware uses unique infection IDs at each stage, appending digits to track progression, and employs encryption and hashing to avoid redundant data exfiltration.

It also integrates advanced evasion tactics, such as modifying registry keys for privilege escalation and creating shortcuts in the startup folder for persistence across reboots.

Kaspersky has detected components of this malware under the signatures HEUR:Trojan.VBS.Batavia.gen and HEUR:Trojan-Spy.Win32.Batavia.gen, underscoring its sophisticated design.

As the campaign remains active into mid-2025, the potential for further damage looms large, especially given the spyware’s ability to download additional payloads, the specifics of which remain under investigation.

Organizations must adopt a multi-layered defense strategy to combat such threats.

Solutions like Kaspersky Next XDR Expert can provide robust threat hunting and incident response capabilities, while employee training through platforms like the Kaspersky Automated Security Awareness Platform is critical to reduce susceptibility to phishing.

Regular security audits and updated endpoint protection are also essential to detect and mitigate such multi-stage attacks early.

Indicators of Compromise (IoC)

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free