A beforehand undocumented spyware and adware known as ‘Batavia’ has been focusing on giant industrial enterprises in Russia in a phishing e mail marketing campaign that makes use of contract-related lures.
The researchers consider the operation has been energetic since at the least final yr in July and is ongoing. Primarily based on telemetry knowledge, the phishing emails delivering Batavia have reached staff at a number of dozen Russian organizations have been focused.
Since January 2025, the marketing campaign has elevated in depth and peaked in the direction of the top of February.

Supply: Kaspersky
Batavia assault chain
Researchers at Kaspersky say that the assaults start with an e mail embedding a hyperlink disguised as a contract attachment. Clicking it downloads an archive that with a malicious Visible Fundamental Encoded script (.VBE) file.
When executed, the script profiles the host system and sends the small print to the attacker’s command and management server (C2). Then it downloads the subsequent stage payload, WebView.exe, from oblast-ru[.]com.

Supply: Kaspersky
The second stage is a Delphi-based malware that shows a faux contract to the sufferer for diversion whereas gathering system logs, paperwork, and capturing screenshots within the background.
The collected knowledge is then exfiltrated to ru-exchange[.]com, whereas the malware makes use of a hash of the primary 40,000 bytes of every file to keep away from redundant uploads.
Lastly, it fetches the third-stage payload, ‘javav.exe,’ a C++ knowledge stealer, and provides a startup shortcut to execute it on OS boot.
The ultimate payload expands the info assortment much more, focusing on extra file varieties (pictures, displays, emails, archives, spreadsheets, TXTs, and RTFs).
Kaspersky notes within the report that there’s possible a fourth payload, named ‘windowsmsg.exe’ – possible used for the subsequent stage of the assault, however the researchers could not retrieve it.
The researchers haven’t speculated in regards to the goal of the marketing campaign however the targets mixed with Batavia’s capabilities would possibly point out an espionage operation on Russia’s industrial exercise.