Reddit NetSec

CVE Database V5

AlienVault OTX General

Exploit-DB RSS Feed

Reddit InfoSec News

ThreatFox MISP Feed

CIRCL OSINT Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The Batavia spyware campaign, active since July 2024, targets Russian industrial enterprises through phishing emails containing malicious links disguised as contract documents. The infection process involves three stages: a VBS script downloader, the WebView.exe spyware, and the javav.exe module. These components collect and exfiltrate various types of files, including system logs, office documents, and screenshots. The malware employs techniques to avoid duplicate file uploads and can download additional payloads. Over 100 users across dozens of organizations have been affected. The campaign highlights the importance of comprehensive cybersecurity measures and employee training to mitigate such threats.

The Batavia spyware campaign, active since July 2024, is a targeted cyber espionage operation focusing primarily on Russian industrial enterprises. The attack vector is phishing emails containing malicious links disguised as contract documents, leveraging social engineering to trick users into initiating the infection. The infection unfolds in three distinct stages: initially, a Visual Basic Script (VBS) downloader is executed, which then retrieves and installs the main spyware component named WebView.exe. Subsequently, a secondary module called javav.exe is deployed. These components collectively perform extensive data collection and exfiltration activities, targeting system logs, office documents, screenshots, and other sensitive files. The malware incorporates mechanisms to avoid redundant data uploads, optimizing its stealth and efficiency. Additionally, it has the capability to download further payloads, potentially expanding its functionality or persistence. The campaign has impacted over 100 users across dozens of organizations, indicating a moderately widespread operation. The malware also employs User Account Control (UAC) bypass techniques to escalate privileges, enhancing its ability to operate undetected and persistently within compromised environments. The campaign's tactics, techniques, and procedures (TTPs) align with multiple MITRE ATT&CK techniques such as T1113 (Screen Capture), T1548.002 (UAC Bypass), T1566.002 (Phishing Link), and others related to credential access, persistence, and defense evasion. The threat actor behind this campaign, referred to as Batavia, demonstrates a focused interest in industrial espionage and intelligence gathering within Russian organizations. The campaign underscores the critical need for multi-layered cybersecurity defenses, including robust phishing awareness training, endpoint detection capabilities, and network monitoring to detect anomalous data exfiltration.

Detailed information about Batavia spyware steals data from Russian organizations. Get real-time updates, technical details, and mitigation strategies.

Batavia spyware steals data from Russian organizations - Live Threat Intelligence - Threat Radar | OffSeq.com

Batavia spyware steals data from Russian organizations

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.

This threat involves a sophisticated fileless malware attack leveraging PowerShell to load and execute shellcode directly in memory, thereby bypassing traditional file-based detection mechanisms. The attack initiates via malicious LNK shortcut files embedded within ZIP archives, which when opened, trigger mshta.exe to execute the initial payload. The PowerShell-based loader then uses Windows API calls to allocate memory and execute binary code without writing files to disk, significantly enhancing stealth. The payload is a variant of Remcos RAT, a remote access trojan that grants attackers full control over the compromised system. Remcos RAT capabilities include keylogging, screen capture, credential theft, and other espionage functions. It employs advanced evasion techniques such as process hollowing—injecting malicious code into legitimate processes—and User Account Control (UAC) bypass to escalate privileges without user consent. Persistence is achieved through registry modifications, ensuring the malware survives system reboots. Communication with the command and control (C2) server is conducted over encrypted TLS channels, complicating network detection. This attack chain exemplifies modern threat actor tactics that emphasize stealth, memory-resident execution, and multi-layered evasion, making detection and mitigation challenging without behavioral analytics and endpoint detection and response (EDR) solutions capable of monitoring in-memory activities and anomalous process behaviors.

Detailed information about Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT. Get real-time updates, technical details, and mitigation s

Title	Severity	Type	Source	Date

Threats Tagged 'uac bypass'

Filter Threats

Threats Tagged 'uac bypass'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility