Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads
Essential information
- Published
- 09/07/2025 03:05
- Modified
- 13/07/2025 10:03
- Tags
- 2025-07-09 batavia c++ malware data exfiltration delphi executable evasion tactics multi-stage attack persistence mechanisms phishing russian targets spyware vbs scripts
- Related entities
- 2 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 2 others
Description
An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infection process. The spyware's ultimate goal is to exfiltrate sensitive internal documents and system data. The attack involves multiple stages, including downloading encrypted VBS scripts, executing Delphi-written executables, and deploying C++-based malware for expanded data theft. Batavia employs advanced evasion tactics and persistence mechanisms, making it a significant threat to organizational security. The campaign remains active, with potential for further damage due to its ability to download additional payloads.