Batavia Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads

Batavia, an unidentified spyware, has been using a sophisticated phishing operation to target Russian industrial organizations since July 2024.

Kaspersky researchers have identified a sharp rise in detections since early March 2025, with over 100 users across dozens of organizations falling prey to bait emails disguised as contract agreements.

These emails, often containing file names like договор-2025-5.vbe or приложение.vbe (translating to “contract” or “attachment”), lure employees into downloading malicious scripts that initiate a multi-stage infection process.

The ultimate goal of Batavia is to exfiltrate sensitive internal documents and system data, posing a significant threat to organizational security.

A Sophisticated Multi-Stage Attack Campaign

The attack begins with phishing emails that trick recipients into clicking malicious links hosted on attacker-controlled domains like oblast-ru[.]com.

Upon clicking, users download an encrypted VBS script, such as Договор-2025-2.vbe, which acts as a downloader.

This ...