2 min read

Russian Hackers Hide Starland RAT in Zoom and WebEx Apps

Cisco Talos says UAT-11795 has used trojanized Zoom, WebEx, and other installers since June 2025 to steal credentials and crypto assets.

Image: BleepingComputer

A financially motivated Russian threat actor tracked as UAT-11795 is distributing trojanized versions of legitimate apps to deliver a new backdoor called Starland RAT, according to Cisco Talos. The campaign has been active since at least June 2025, mainly targeting users in the U.S., with additional victims seen in Germany, Romania, and Venezuela.

Talos says the malicious payload has been bundled with installers for well-known software including MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.

Researchers could not confirm the initial infection vector, but they suspect the attackers may be using the ClickFix technique. In Talos' analysis, the attack begins with an HTA file that fetches a trojanized NSIS installer containing a Python loader disguised as LICENSE.txt.

That loader modifies the Windows Registry for persistence, then decrypts and loads Starland RAT. Once running, the malware checks for sandbox environments, creates scheduled tasks and Startup folder items, and attempts to elevate privileges.

Recommended reading

CISA gives feds until Saturday to patch Oracle EBS flaw

The malware is designed to collect:

  • Browser data and cryptocurrency wallet assets, including more than 40 desktop and browser-extension wallets
  • System details such as HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
  • Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges

Starland can also capture screenshots, run shell commands, inject 32-bit or 64-bit shellcode, and download additional payloads including EXEs, MSIs, DLLs, and ZIPs. In attacks observed by Talos, the 64-bit shellcode chain delivered CastleStealer, while the 32-bit chain delivered Remcos RAT.

CastleStealer targets browser credentials, crypto wallet data, Discord and Telegram sessions, Steam credentials, and files on disk. Remcos RAT adds keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.

!Overview of the UAT-11795 attack chain.jpg)

Talos said Starland’s command-and-control setup includes a fallback mechanism: if a hardcoded address fails, it queries a Polygon smart contract for an XOR-encrypted backup domain. The researchers also found that UAT-11795 uses a previously undocumented PowerShell C2 framework called WLDR, which uses PBKDF2-SHA256 encrypted beaconing and communications, runs entirely in memory, and ties payload delivery to each victim’s hardware identifier.

Talos recommends that organizations use the indicators of compromise listed in its report. For users, the guidance is simpler: avoid running commands copied from the web unless you understand them, and download software only from verified official vendor sites.

article image
article image
Sophia Reynolds

Security Editor

Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.

via BleepingComputer

// Keep reading