Malicious Word Document Delivers Spyware to Batavia Employees – A Stealthy Malware Attack

A sophisticated cyberattack campaign, first detected in July 2024 and continuing into 2025, has put Russian industrial enterprises on high alert.

Security researchers have identified a series of phishing emails carrying malicious attachments disguised as official documents, primarily Word files named in Russian, such as договор-2025-5.vbe (“contract”) and приложение.vbe (“attachment”).

When an unsuspecting employee clicks these lures, a stealthy multi-stage malware, now dubbed “Batavia spyware,” is unleashed to harvest sensitive documents and internal data.

Technical Details – Three-Stage Infection Chain

The Batavia attack relies on a well-crafted and persistent social engineering strategy. Victims receive emails from addresses associated with the malicious domain oblast-ru[.]com, urging them to review or sign an urgent contract.

The “document” is, in fact, a link to a maliciously crafted VBS script archive.

Stage One: VBS Downloader Script
Upon execution, the VBS script connects to the attackers’ server, retrieves system information, and downloads an executable named WebView.exe (MD5: 5CFA142D1B912F31C9F761DDEFB3C288).

This downloader also determines the OS version, selects the correct infection route, and creates a decoy file to mask its activities.

Stage Two: WebView.exe Spy Module
WebView.exe, written in Delphi, masquerades as a legitimate application window while silently exfiltrating files and system logs and periodically capturing screenshots. It transmits the stolen data to another attacker-controlled domain, ru-exchange[.]com.

To ensure persistence, WebView.exe schedules the execution of a follow-up module, java.exe, after the next system reboot.

Stage Three: Advanced Data Theft and C2 Communication
Javav.exe (MD5: 03B728A6F6AAB25A65F189857580E0BD), built in C++, expands its file-stealing reach to include office documents, spreadsheets, emails, images, and archives.

It can also receive and execute further malicious payloads via encrypted instructions from the attacker’s C2 infrastructure, employing techniques to bypass standard user account control (UAC) protections.

Widespread Impact and Recommendations

Kaspersky telemetry indicates that the campaign has targeted over 100 devices across dozens of Russian organizations. The attackers’ infrastructure employs constantly changing identifiers to track each infection, enhancing its stealth and evasion capabilities.

To defend against such threats, experts recommend implementing comprehensive endpoint security, conducting regular threat hunting, and providing ongoing employee cybersecurity training.

Organizations should prioritize phishing awareness, as malicious emails disguised as official business communications remain the primary infection vector.

Indicators of compromise include:

• Malicious file hashes:
  • Договор-2025-2.vbe: 2963FB4980127ADB7E045A0F743EAD05
  • WebView.exe: 5CFA142D1B912F31C9F761DDEFB3C288
  • Javav.exe: 03B728A6F6AAB25A65F189857580E0BD
• Command and control domains: oblast-ru[.]com, ru-exchange[.]com

Security teams are urged to remain vigilant as the Batavia spyware continues to evolve and adapt its methods to evade detection.