VYPR
malwarePublished Jul 16, 2026· 2 sources

Russian Hackers Trojanize WebEx, Zoom Apps to Distribute Starland RAT

A Russian financially motivated threat actor is distributing a new backdoor, Starland RAT, by trojanizing legitimate software installers like WebEx and Zoom, targeting users for credential and cryptocurrency theft.

A Russian threat actor, identified as UAT-11795, has been actively distributing a new remote access trojan (RAT) named Starland RAT since at least June 2025. This campaign primarily targets users in the United States, but has also been observed affecting individuals in Germany, Romania, and Venezuela. The group's main objectives appear to be the theft of sensitive credentials and the illicit acquisition of cryptocurrency.

Cisco Talos researchers revealed that UAT-11795 achieves its distribution goals by trojanizing installers for legitimate and widely used software. Applications such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT have been observed being bundled with the malicious payload. While the exact infection vector remains unconfirmed, researchers speculate that the malicious files are likely disseminated through the ClickFix method, a technique that leverages social engineering to trick users into downloading and executing compromised software.

The attack chain begins with an HTA file, which, when executed, retrieves a trojanized NSIS installer. This installer contains a Python loader disguised as a legitimate text file, typically named LICENSE.txt. Once active, the Python loader establishes persistence on the victim's system by modifying the Windows Registry. It then proceeds to decrypt and load the Starland RAT into memory.

Upon execution, the Starland RAT performs several checks to ensure its stealth and effectiveness. It first verifies if it is running within a sandbox environment to evade detection by security analysis tools. For persistence, it adds scheduled tasks and items to the Windows Startup folder, ensuring it runs even after reboots. The malware also attempts to escalate its privileges to gain deeper access to the compromised system.

Starland RAT is designed to exfiltrate a variety of sensitive data. It actively searches for browser data, including credentials and cryptocurrency wallet assets from over 40 different desktop and browser-extension wallets. Additionally, it collects comprehensive system details such as hardware ID, RAM, processor, operating system, network information, and installed antivirus products. The malware also targets Active Directory information, gathering details about the domain structure, domain controllers, and the victim's domain privileges.

Beyond data theft, Starland RAT possesses a range of capabilities, including capturing screenshots, executing arbitrary shell commands, injecting 32- or 64-bit shellcode, and downloading additional malicious payloads like EXEs, MSIs, and DLLs. In observed attacks, the injected shellcode has been used to deploy other malware families. The 64-bit shellcode chain has been seen delivering the CastleStealer info-stealer, while the 32-bit chain deploys the Remcos RAT, further expanding the attacker's reach and capabilities.

Command and control (C2) communication for Starland RAT exhibits a redundancy mechanism. If the primary hardcoded C2 address is unreachable, the malware queries a Polygon smart contract, using an XOR-encrypted fallback domain for communication. Furthermore, Talos discovered UAT-11795 employs a novel, undocumented PowerShell C2 framework named WLDR. This framework utilizes encrypted beaconing and communications, operates entirely in memory, and binds payload delivery to each victim's unique hardware identifier, making it more evasive and tailored.

To mitigate the threat posed by UAT-11795 and the Starland RAT, organizations should implement the indicators of compromise (IoCs) provided in the Cisco Talos report. Users are strongly advised to exercise caution when executing commands found online and to download software exclusively from official vendor portals to avoid falling victim to trojanized installers.

This new reporting from Cisco Talos provides significant additional detail on the UAT-11795 campaign, including the discovery of a novel Python-based Starland RAT and a sophisticated PowerShell command-and-control implant dubbed the "WLDR agent." The WLDR agent features encrypted beaconing and task queuing, enhancing its stealth and operational capabilities. Furthermore, Talos has identified that the threat actor also maintains CastleStealer and Remcos RAT as alternative payloads, broadening their toolkit for credential and cryptocurrency theft.

Synthesized by Vypr AI