A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well.
According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.
Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method.
In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt).
The loader modifies the Windows Registry to establish persistence and then decrypts and loads the Starland remote access trojan (RAT).
When launched, Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence, and tries to increase its privileges.
The malware looks for the following types of data on the compromised system:
StarlandRAT can also capture screenshots of the victim’s desktop, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads (EXEs, MSIs, DLLs, ZIPs).
In the observed attacks, the 64-bit shellcode chain delivers the CastleStealer info-stealer malware, while the 32-bit chain delivers the Remcos remote access trojan (RAT).
CastleStealer targets browser credentials, cryptocurrency wallet information, Discord and Telegram sessions, Steam credentials, and filesystem files.
Remcos RAT provides capabilities such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.
Cisco Talos highlights that the malware’s command-and-control (C2) communication has a redundancy mechanism if reaching the hardcoded address fails, which involves querying a Polygon smart contract with an XOR-encrypted fallback domain.
Talos also discovered that UAT-11795 uses a previously undocumented PowerShell C2 framework called WLDR, which uses encrypted (PBKDF2-SHA256) beaconing and communications, operates entirely in memory, and binds payload delivery to each victim’s hardware identifier.
To defend against UAT-11795 attacks, organizations should use the indicators of compromise IoCs in the Cisco Talos report.
Users should avoid executing commands found online if they don’t understand what they do and should download software only from confirmed official vendor portals.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Ukraine’s army targeted in new charity-themed malware campaign
GreyVibe hackers use ChatGPT, Gemini to power cyberattacks
Russian hackers turn Kazuar backdoor into modular P2P botnet
Google Gemini CLI abused as a hacking agent, malware botnet operator
AsyncAPI npm packages infected with credential-stealing malware
Microsoft July 2026 Patch Tuesday fixes massive 570 flaws, 3 zero-days
Microsoft: Some Dell PCs shut down after recent Windows updates
Windows 11 KB5101650 & KB5099414 cumulative updates released
How Mature Is Your AI Security Program? Take the Free AI Maturity Assessment.
#1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends.
Pentest your web apps on-demand. Find what humans miss. Scope and launch a pentest in minutes.
AI broke vulnerability management. Get the guide CISOs use to shift budget to BAS.
AI is a data-breach time bomb: Read the new report
Terms of Use – Privacy Policy – Ethics Statement – Affiliate Disclosure
Read our posting guidelinese to learn what content is prohibited.



