A stealthy phishing campaign using contract-themed lures has infected dozens of Russian organizations with multi-stage spyware since mid-2024.
What happened
A previously unknown spyware strain named Batavia is being used in an active phishing campaign aimed at industrial companies in Russia. According to BleepingComputer, the campaign has been ongoing since at least July 2024 and ramped up significantly in early 2025. Emails disguised as contract notifications have been sent to employees across dozens of Russian organizations, tricking them into downloading malicious files that trigger the spyware installation.
Going deeper
The attack begins with a phishing email that contains a link to a fake contract. This link downloads an archive file containing a Visual Basic Encoded (.VBE) script. Once executed, the script collects system information and sends it to a command-and-control (C2) server. It then fetches and installs a second-stage payload, WebView.exe, which opens a fake document to distract the user while silently gathering system logs, files, and screenshots.
The data is sent to a different server, using file hashing to avoid redundant uploads. The malware then downloads a third-stage payload, javav.exe, a C++ tool that collects even more data types, including images, emails, spreadsheets, and archives. It also ensures persistence by adding itself to the system startup.
What was said
BleepingComputer did not assign attribution or speculate on the operators behind Batavia. However, the nature of the data collected and the targeting of industrial organizations suggest that the campaign could be part of an espionage operation. No ransomware or monetary demands have been observed, and no group has claimed responsibility for the campaign.
The big picture
The Batavia campaign reveals how cyber-espionage operations are using multi-stage payloads, system profiling, and targeted data collection to improve efficiency and reduce the chance of detection. The use of contract-related lures and a focus on Russian industrial entities point to a deliberate effort to access sensitive networks without triggering early warnings. Delivery methods and payload staging continue to evolve in ways that challenge traditional security tools, requiring more adaptive detection and response strategies.
FAQs
What makes multi-stage malware like Batavia more effective than single-payload attacks?
Multi-stage attacks allow threat actors to gradually deploy components, reducing the risk of detection and enabling precise control over the malware's behavior on compromised systems.
How do attackers use hashing to manage data theft more efficiently?
Batavia uses a hash of the first 40,000 bytes of each file to avoid uploading duplicates, saving bandwidth and minimizing the volume of suspicious outbound traffic.
Why do threat actors often use contract-themed phishing lures?
Contract-related emails are common in corporate environments and often bypass user suspicion, making them an effective delivery mechanism for malware in professional settings.
What is the role of persistence mechanisms in spyware campaigns?
By adding itself to the startup, Batavia ensures it continues to operate and collect data even after system restarts, increasing the chance of prolonged access.
Could the presence of a fourth-stage payload change the campaign’s impact?
Yes. If Windowsmsg.exe contains more advanced features or control mechanisms, it could escalate the campaign’s purpose, possibly enabling broader surveillance or remote system manipulation.
Farah Amod
