Major industrial enterprises across Russia have been subjected to phishing intrusions spreading the Batavia spyware as part of a cyberespionage campaign that has been ongoing since July 2024, with attacks escalating even further since March, Security Affairs reports.
Malicious emails purporting to be contracts sent to over 100 users across dozens of Russian industrial organizations contained nefarious links that downloaded a VBE script obtaining system details and fetching the Delphi-based WebView.exe malware, which facilitates system log gathering and screenshot capturing activities, according to a Kaspersky analysis. Such malware also triggers the last-stage C++-based javav.exe payload, which looks to compromise other system files, while replacing its command-and-control address and running other payloads as it establishes persistence on the infected device. "It's also worth noting that the initial infection vector in this campaign is bait emails. This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices," said Kaspersky.
Malicious emails purporting to be contracts sent to over 100 users across dozens of Russian industrial organizations contained nefarious links that downloaded a VBE script obtaining system details and fetching the Delphi-based WebView.exe malware, which facilitates system log gathering and screenshot capturing activities, according to a Kaspersky analysis. Such malware also triggers the last-stage C++-based javav.exe payload, which looks to compromise other system files, while replacing its command-and-control address and running other payloads as it establishes persistence on the infected device. "It's also worth noting that the initial infection vector in this campaign is bait emails. This highlights the importance of regular employee training and raising awareness of corporate cybersecurity practices," said Kaspersky.
