{
  "name": "Spyware Targets Employees via Weaponized Word Documents Delivering Malware Payloads",
  "slug": "spyware-targets-employees-via-weaponized-word-documents-delivering-malware-payloads",
  "description": "An unidentified spyware called Batavia has been targeting Russian industrial organizations since July 2024 through a sophisticated phishing operation. The campaign uses bait emails disguised as contract agreements to trick employees into downloading malicious scripts, initiating a multi-stage infection process. The spyware's ultimate goal is to exfiltrate sensitive internal documents and system data. The attack involves multiple stages, including downloading encrypted VBS scripts, executing Delphi-written executables, and deploying C++-based malware for expanded data theft. Batavia employs advanced evasion tactics and persistence mechanisms, making it a significant threat to organizational security. The campaign remains active, with potential for further damage due to its ability to download additional payloads.",
  "published": "2025-07-09T01:05:16+00:00",
  "created_at": "2025-07-09T01:05:16+00:00",
  "modified_at": "2025-07-13T08:03:22+00:00",
  "created_at_opencti": "2025-07-09T01:05:16+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-07-09",
    "batavia",
    "c++ malware",
    "data exfiltration",
    "delphi executable",
    "evasion tactics",
    "multi-stage attack",
    "persistence mechanisms",
    "phishing",
    "russian targets",
    "spyware",
    "vbs scripts"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "ru-exchange.com"
      },
      {
        "id": "",
        "name": "oblast-ru.com"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:3ea0711620673fb0",
        "name": "Batavia",
        "slug": "batavia"
      }
    ],
    "intrusion_sets": [
      {
        "id": "c2969061-2471-43e4-b07e-ad6e527a1d6c",
        "name": "Batavia",
        "slug": "batavia"
      }
    ],
    "attack_patterns": [
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "1e73eaa9-ea78-444b-b3a3-5842f5d35115",
        "name": "T1074"
      },
      {
        "id": "16e26db7-7376-40c1-b8a9-23d56c44f7ee",
        "name": "T1571"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "5bab4974-1fc2-4144-b093-28ebcb8767dc",
        "name": "T1114"
      },
      {
        "id": "667462db-9031-48eb-893a-05d35f9330a7",
        "name": "T1056.001"
      },
      {
        "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed",
        "name": "T1113"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74",
        "name": "T1005"
      },
      {
        "id": "a72ebeae-8e62-4039-8135-e9c611011fdc",
        "name": "T1573"
      },
      {
        "id": "53b3b18c-d0d0-4bf6-bc6b-2c0ab9180deb",
        "name": "T1070"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb",
        "name": "T1132"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d",
        "name": "T1053"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d",
        "name": "T1566"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Manufacturing"
      }
    ]
  },
  "external_refs": [
    "https://gbhackers.com/batavia-spyware-targets-employees-via-weaponized-word-documents",
    "https://otx.alienvault.com/pulse/686ddc6c70f3b01f8f7c7edf"
  ]
}