Batavia Spyware Unmasked: Covert Campaign Hits Russian Industrial & Scientific Orgs via Phishing Emails

Since July 2024, Russia has been the target of a large-scale, highly targeted cyber campaign employing a previously unknown espionage tool named Batavia. According to Kaspersky Lab, the attacks have been directed at industrial and scientific organizations, with malicious emails disguised as contract agreement requests resulting in the compromise of at least a hundred devices across dozens of companies.

The initial infection phase begins with an email containing a link to what appears to be an official document. Upon clicking the link, the recipient downloads an archive containing a VBS script disguised as a contract file. This script, encrypted using a proprietary Microsoft algorithm, functions as a dropper, retrieving twelve parameters from a remote server to initiate further execution. Depending on the version of Windows, the malware leverages either the Run() method or the alternative Navigate() method to deploy the malicious component WebView.exe.

In the second stage, the trojan’s full functionality is activated. WebView.exe, a Delphi-compiled executable, displays a counterfeit contract, collects system logs and documents, captures screenshots, and exfiltrates the data to a secondary command-and-control server. To avoid redundant data uploads, it computes FNV-1a_32 hashes of the first 40,000 bytes of each file and cross-references them against a locally stored list.

Digital paranoia is the new common sense.

Additionally, WebView.exe downloads and installs a new module, javav.exe, into the system’s startup. This C++ component broadens the scope of data collection to include images, presentations, emails, and archives. Although it transmits the data to the same server, it utilizes a modified identifier reflecting the current infection stage.

Beyond data collection, the third phase facilitates command server rotation and the deployment of further malicious payloads. One notable technique employed for privilege escalation involves bypassing User Account Control (UAC) via the computerdefaults.exe utility. While the next-stage payload windowsmsg.exe was not observed during analysis, it is presumed to contain more advanced malicious capabilities.

Batavia is distinguished by its modular architecture, unique infection identifiers for each stage, and a flexible payload delivery mechanism. The primary command-and-control domains are:

• oblast-ru[.]com
• ru-exchange[.]com

The associated file hashes are as follows:

• 2963FB4980127ADB7E045A0F743EAD05 (dogovor-2025-2.vbe)
• 5CFA142D1B912F31C9F761DDEFB3C288 (webview.exe)
• 03B728A6F6AAB25A65F189857580E0BD (javav.exe)

Investigators have confirmed that the phishing campaign remains active. The thematic structure of the emails has remained largely unchanged since the operation began, while each embedded link is uniquely crafted for its recipient—complicating efforts to map the campaign’s full scale.

According to Kaspersky Lab, over 100 employees across various Russian enterprises have received the malicious messages. The campaign’s primary objective appears to be the theft of internal documentation and the surveillance of user activity.

Experts emphasize the critical importance of regular employee training to enhance resistance to phishing attempts. Moreover, the implementation of advanced threat detection and automated response systems is strongly recommended. Batavia serves as a striking example of how a seemingly simple phishing message can evolve into a sophisticated, multi-stage assault deeply embedded within corporate infrastructure.