New spyware strain steals data from Russian industrial companies

Hackers are targeting Russia’s industrial sector with a new spyware strain that steals sensitive internal documents, local researchers warned.

The campaign, which began in July 2024 and remains active, uses phishing emails disguised as fake contracts. Victims are urged to download a file via a malicious link, which infects their systems with previously unknown spyware dubbed Batavia, according to a new report by Moscow-based cybersecurity firm Kaspersky.

The malware exfiltration files including office documents and system logs. It also takes periodic screenshots and collects system information such as installed software, all of which is sent to a remote server controlled by the attackers.

Kaspersky said the campaign has already affected over 100 victims across several dozen Russian organizations, but did not disclose the specific targets. The firm has not attributed the operation to a specific threat actor, though the hackers’ tactics and targets suggest possible involvement of state-sponsored groups or organized cybercriminals.

The Batavia campaign is one of the latest in a string of cyber operations against Russian organizations. In February, local researchers reported a large-scale information-stealing campaign involving the Nova malware. Around the same time, Russian cybersecurity firm F.A.C.C.T. linked a separate wave of attacks against the country’s chemical, food and pharmaceutical industry to a suspected state-backed group known as Rare Wolf, which has been active since 2018.

In December, Kaspersky also reported that Russian businesses using unlicensed corporate software were being targeted with RedLine, a widely used information stealer distributed via local online forums frequented by accountants and entrepreneurs.

Analysts previously warned that the recent spike in cyberespionage activity may be linked to escalating geopolitical tensions and increased targeting of critical sectors in both Russia and Ukraine.