Vercara’s Open-Source Intelligence (OSINT) Report – July 4 – July 10, 2025

Researchers Uncover Batavia Windows Spyware Stealing Documents from Russian Firms

(TLP: CLEAR) The Batavia spyware campaign, uncovered by Kaspersky, is a sophisticated, multi-stage cyber espionage operation targeting Russian industrial organizations since mid-2024. Delivered via spear-phishing emails posing as legitimate contracts, the attack begins with a malicious Visual Basic encoded script that profiles the victim’s system and downloads a second-stage Delphi-based spyware named WebView.exe. This component collects sensitive files, screenshots, and system data while displaying a decoy document to avoid detection. A third-stage payload, javav.exe, written in C++, further expands data collection capabilities and implements a UAC bypass using computerdefaults.exe to establish persistence. Data exfiltration is handled via staged uploads to command-and-control (C2) servers like ru-exchange[.]com, with file deduplication performed using FNV-1a_32 hashing to conserve bandwidth. Researchers suspect a fourth-stage component may exist but has yet to be captured. The campaign uses social engineering, modular payload delivery, stealth techniques, and wide-ranging data theft, indicating a likely motive of industrial espionage, although attribution remains unknown.

(TLP: CLEAR) Comments: The Batavia spyware campaign highlights several concerning tactics. The multi-stage delivery method starts with VBScript, then Delphi, and finally a C++ payload which shows careful planning to evade detection and maintain persistence. The use of phishing emails, disguised as contracts, remains effective, emphasizing the need for strong email filtering and user awareness. The spyware collects sensitive data while displaying decoy documents, buying time for further compromise. The use of UAC bypass and simple encryption methods, like XOR and FNV-1a_32 hashing, suggests a focus on stealth and operational efficiency.

The potential fourth-stage payload adds further risk, indicating adaptive tool development. Defensively, this underscores the importance of layered security, including endpoint monitoring, privilege management, and threat hunting for known indicators.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) Vercara: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Sources: https://thehackernews.com/2025/07/researchers-uncover-batavia-windows.html

Sources: https://www.bleepingcomputer.com/news/security/batavia-windows-spyware-campaign-targets-dozens-of-russian-orgs/

Gold Melody IAB Exploits Exposed ASP.NET Machine Keys for Unauthorized Access to Targets

(TLP: CLEAR) The Gold Melody campaign is a sophisticated cyber espionage operation targeting ASP.NET-based applications by exploiting vulnerabilities in the Internet Information Services (IIS) web server. The attackers utilize IAB (Internet Application Backdoor) exploits to inject malicious web shells into vulnerable web servers, gaining unauthorized access and control over the systems. These vulnerabilities primarily affect systems that have not been patched, allowing attackers to bypass security controls, exfiltrate sensitive data, and maintain long-term access through covert backdoors. (TLP: CLEAR) Comments: The campaign relies on web shells to execute remote commands, enabling the attackers to infiltrate deeper into the network and extract critical data, including source code and customer information. Communication with command-and-control (C2) servers is encrypted to avoid detection. To defend against these attacks, organizations are advised to immediately patch vulnerabilities in IIS and ASP.NET, use web application firewalls to block suspicious traffic, and monitor server logs for signs of web shell activity. Additionally, applying the principle of least privilege and utilizing intrusion detection systems (IDS) can help identify and mitigate the threat.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Vercara: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2025/07/gold-melody-iab-exploits-exposed-aspnet.html

DoNot APT Expands Operations, Targets European Foreign Ministries with LoptikMod Malware

(TLP: CLEAR) The DoNot APT (Advanced Persistent Threat) group has recently expanded its operations, now focusing on European foreign ministries in a targeted campaign that utilizes a newly discovered malware variant, LoptikMod. This group, known for its cyber espionage activities, has adapted its tactics, techniques, and procedures (TTPs) to breach sensitive government organizations. The LoptikMod malware, a sophisticated evolution of previous tools used by DoNot APT, is designed to enable long-term persistence and data exfiltration. It operates by establishing covert command-and-control (C2) communication channels, facilitating remote access to compromised networks, and enabling the attackers to move laterally within the network.
(TLP: CLEAR) Comments: The malware can steal confidential diplomatic and national security information, making it a valuable tool for espionage operations. Notably, LoptikMod leverages fileless techniques, making it difficult to detect by traditional security measures. The threat group employs spear-phishing as the initial infection vector, with carefully crafted emails designed to deceive foreign ministry staff into executing malicious attachments. Once inside, LoptikMod delivers further payloads and maintains access by exploiting software vulnerabilities. Organizations within the targeted sectors are advised to enhance their email security, patch critical vulnerabilities, and employ advanced endpoint detection and response (EDR) solutions to counteract the evolving threat posed by DoNot APT.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-41 Revision 1, “Guidelines on Firewalls and Firewall Policy”: “Application firewalls can enable the identification of unexpected sequences of commands, such as issuing the same command repeatedly or issuing a command that was not preceded by another command on which it is dependent. These suspicious commands often originate from buffer overflow attacks, DoS attacks, malware, and other forms of attack carried out within application protocols such as HTTP. Another common feature is input validation for individual commands, such as minimum and maximum lengths for arguments. For example, a username argument with a length of 1000 characters is suspicious—even more so if it contains binary data.”
(TLP: CLEAR) Vercara: Digicert’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to insertion of malware. Signatures for new vulnerabilities are constantly updated along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bots including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.

Source: https://thehackernews.com/2025/07/donot-apt-expands-operations-targets.html

RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

(TLP: CLEAR) The Rondodox botnet is a newly discovered malware operation that exploits vulnerabilities in TBK (Targeted Broadcasting Kit) devices to compromise networks and launch large-scale distributed denial-of-service (DDoS) attacks. The botnet primarily targets IoT devices, leveraging unpatched flaws in the TBK kit to infect and enlist them into a growing botnet army. Once a device is compromised, it is used to flood target networks with traffic, effectively rendering the target systems inaccessible.
(TLP: CLEAR) Comments: The Rondodox botnet employs a variety of exploitation techniques, including the use of hardcoded credentials and remote code execution (RCE) vulnerabilities to gain unauthorized access. The malware then uses advanced evasion tactics to avoid detection by traditional security defenses, allowing the botnet to maintain persistence on infected devices and evade network monitoring tools. The botnet’s rapid expansion has led to growing concerns about the impact on internet infrastructure, with potential for large-scale disruptions. Security experts recommend that organizations and IoT device owners immediately patch vulnerabilities, disable unnecessary services, and implement strong password policies to prevent the exploitation of these flaws. Additionally, regular network monitoring for signs of anomalous traffic patterns can help detect and mitigate the effects of such botnet-driven DDoS attacks.
(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.”

MITRE ATT&CK T1498.002, “Network Denial of Service: Reflection Amplification”: “Adversaries may attempt to cause a denial of service (DoS) by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflectors may be used to focus traffic on the target. This Network DoS attack may also reduce the availability and functionality of the targeted system(s) and network. “Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depend upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP, though the use of several others in the wild have been documented. In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.”
(TLP: CLEAR) Vercara: Digicert UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most.
Source: https://thehackernews.com/2025/07/rondodox-botnet-exploits-flaws-in-tbk.html

Traffic Light Protocol (TLP)

Except where noted, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.

About DigiCert Ultra Security

The world’s top brands depend on DigiCert to safeguard their digital infrastructure and online presence. DigiCert offers a suite of cloud delivered services that are always secure, reliable, and available and enable global businesses to thrive online. The company’s ultra secure suite of solutions protects organizations’ networks and applications against risks and downtime, ensuring that businesses and their customers enjoy exceptional, and uninterrupted, interactions all day, every day. Delivering the industry’s best performance and always-on service, DigiCert’s mission- critical security portfolio provides best-in-class DNS, application, and network security including DDoS protection, WAF, and Bot management services to its global 5000 customers and beyond.

To learn more about Vercara solutions, please visit our website or contact us.

©2025 DigiCert, Inc. All rights reserved. All logos, trademarks, servicemarks, registered trademarks, and/or registered servicemarks are owned by DigiCert, Inc. All other logos, trademarks, servicemarks, registered trademarks, and registered servicemarks are the property of their respective owners.