Listen to this Post
New Wave of Corporate Espionage in Russia
A new wave of targeted cyberattacks has been hitting Russian industrial enterprises since mid-2024, continuing into 2025. The malware, named Batavia spyware, operates through a contract-themed phishing campaign that deceives corporate employees into opening malicious attachments or links. Once activated, the spyware infiltrates internal systems to extract sensitive documents, images, emails, and other intellectual property. Developed with multiple stages and written in different programming languages, Batavia exhibits a level of modular sophistication aimed at stealth, persistence, and comprehensive data exfiltration.
Cybersecurity researchers at Kaspersky discovered the ongoing threat and traced the infection method to fake .vbe files labeled as contracts or attachmentsādesigned to lure unsuspecting employees. This multi-layered malware campaign uses customized email lures and cleverly evades detection through encryption, dynamic payload delivery, and careful data hashing techniques to avoid redundant uploads.
the Attack Campaign
Since March 2025, Russian cybersecurity firm Kaspersky has observed a rising number of targeted phishing emails aimed at corporate users within Russian industrial sectors. The emails come disguised as official messages requesting contract signings, embedding malicious .vbe files with filenames like dogovor.vbe (“contract”) and prilozhenie.vbe (“attachment”). These scripts, once opened, trigger the first stage of malware execution.
The initial script gathers OS-level system information and then downloads a file named WebView.exe, written in Delphi. This file presents a fake contract interface but secretly begins collecting system data, documents, and screenshots. All collected materials are sent to a command-and-control (C2) server, with hashed identifiers to avoid redundancy.
Later, javav.exe, a C++ executable, is introduced to enhance data theft capabilities. This version targets a broader range of file types including archives, emails, and images. It also sets up persistence mechanisms via Windows startup folders and bypasses User Account Control (UAC) by abusing computerdefaults.exe. The final payload, windowsmsg.exe, is downloaded through this backdoor channel, allowing attackers to keep evolving the malware.
The phishing emails appear customized per recipient to manage infection timing and payload delivery effectively. Over 100 users across several dozen Russian organizations have been affected so far.
What Undercode Say:
The Batavia spyware campaign highlights a resurgence in sophisticated, region-specific cyber espionage. The use of social engineering, specifically themed around business contracts, taps into a universally trusted context within corporate settings. This isn’t just opportunistic phishingāit’s a strategically engineered cyber weapon targeting national industrial infrastructure.
Key takeaways from the campaign show a disturbing evolution in malware architecture. Unlike standard info-stealers, Batavia is modular, persistent, and adaptive. Each stage of the infection is written in a different programming languageāVBScript, Delphi, and C++āa rare sign of layered specialization. This tactic likely helps evade automated detection systems trained to spot specific language patterns.
Moreover, the attackersā ability to hash stolen files before exfiltration is a smart move to maximize stealth and efficiency, avoiding duplicate uploads and reducing bandwidth footprints. The ability to change command-and-control servers mid-operation is another red flag pointing to nation-state-level planning or funding.
The use of UAC bypasses via native system utilities like computerdefaults.exe also mirrors Advanced Persistent Threat (APT) behavior, indicating long-term access goals rather than short-term gain. This is not a ransomware-style cash grabāit’s a prolonged intelligence-gathering mission.
The fact that phishing remains the entry point into such complex systems should alarm IT departments across the globe. Despite decades of awareness training, email-based attacks still succeed. It speaks volumes about the need for cultural change within organizations, not just technological defenses. Enterprises need to integrate continuous phishing simulations, zero-trust network designs, and endpoint detection & response (EDR) systems capable of tracking lateral movement post-compromise.
Lastly, the localization of filenames (e.g., using Russian words for “contract”) shows that this operation was not just technically sound, but culturally aware. It knew its targets inside and outāa tactic we often associate with cyber-mercenary groups or state-sponsored actors.
š Fact Checker Results:
ā
Verified: Kaspersky confirmed detections of malware using .vbe files themed around contract names.
ā
Verified: Malware payloads written in Delphi and C++ with modular infection stages.
ā Not Verified: No public attribution to a specific threat actor or nation-state has been officially made yet.
š Prediction:
Given the structure and scope of Batavia, we can expect a broader targeting pattern across Eastern Europe and possibly critical infrastructure sectors like energy, logistics, and aerospace. The malwareās modularity suggests it will evolve with new payloads, possibly integrating credential theft or lateral movement exploits. We anticipate new variants to surface disguised under different document themesālike invoices, legal notices, or government communicationsāespecially if the original campaign garners success.
Governments and large enterprises should prepare for copycat versions of Batavia as its methods become commoditized within underground markets. Expect also increased policy discussions in Russia about internal email hygiene and stricter firewall rules for industrial endpoints.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
