A previously undocumented spyware called ‘Batavia’ has been targeting large industrial enterprises in Russia in a phishing email campaign that uses contract-related lures.
The researchers believe the operation has been active since at least last year in July and is ongoing. Based on telemetry data, the phishing emails delivering Batavia have reached employees at several dozen Russian organizations have been targeted.
Since January 2025, the campaign has increased in intensity and peaked towards the end of February.
Percentage of victims per month
Source: Kaspersky
Batavia attack chain
Researchers at Kaspersky say that the attacks begin with an email embedding a link disguised as a contract attachment. Clicking it downloads an archive that with a malicious Visual Basic Encoded script (.VBE) file.
When executed, the script profiles the host system and sends the details to the attacker’s command and control server (C2). Then it downloads the next stage payload, WebView.exe, from oblast-ru[.]com.
Email used in the Batavia campaign
Source: Kaspersky
... continue reading