Russian Threat Actor UAT-11795 Deploys Starland RAT via Trojanized Software
A financially motivated Russian threat actor, tracked as **UAT-11795**, is leveraging trojanized legitimate software to distribute the novel **Starland RAT**. This sophisticated campaign aims to steal credentials and cryptocurrency, primarily targeting users in the U.S. but also observed in Germany, Romania, and Venezuela.
Cybersecurity researchers at **Cisco Talos** have uncovered a new campaign by **UAT-11795**, a Russian threat actor group. The group is deploying a new remote access trojan (**RAT**) called **Starland RAT** through seemingly legitimate software installers.
Attacks, ongoing since at least June 2025, have focused on U.S. users, with additional victims identified in Germany, Romania, and Venezuela.
### Trojanized Software as an Entry Point
**UAT-11795** distributes its malicious payload via trojanized installers for popular software such as **MobaXterm**, **WebEx**, **Zoom**, **DBeaver**, and **FaceIT**. While the exact infection vector remains unconfirmed, researchers speculate the use of methods like "ClickFix."
### The Attack Chain Unveiled
According to **Cisco Talos**, the attack typically initiates with an HTA file. This file retrieves a trojanized **NSIS** installer containing a Python loader, cleverly disguised as a text file named `LICENSE.txt`.
The loader then modifies the Windows Registry to establish persistence before decrypting and loading the **Starland RAT**.
### Starland RAT's Capabilities
Upon execution, **Starland RAT** performs several checks, including environment analysis to detect sandboxes. It then establishes persistence through scheduled tasks and Startup folder items and attempts to elevate its privileges.
The malware is designed to exfiltrate a wide array of sensitive data, including:
* Browser data and cryptocurrency wallet assets (supporting over 40 desktop and browser-extension wallets)
* System details, such as hardware ID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
* **Active Directory** information, including domain structure, domain controllers, and victim's domain privileges
Beyond data exfiltration, **Starland RAT** can capture desktop screenshots, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads (EXEs, MSIs, DLLs, ZIPs).
### Secondary Payloads: CastleStealer and Remcos RAT
In observed attacks, the 64-bit shellcode chain delivers the **CastleStealer** info-stealer malware. **CastleStealer** targets browser credentials, cryptocurrency wallet information, **Discord** and **Telegram** sessions, **Steam** credentials, and filesystem files.
The 32-bit chain, conversely, delivers the notorious **Remcos RAT**, known for its keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution capabilities.
.jpg)
### Advanced C2 Infrastructure
**Cisco Talos** highlights the sophistication of the malware's command-and-control (**C2**) communication. It incorporates a redundancy mechanism that, if the hardcoded address fails, queries a **Polygon** smart contract with an XOR-encrypted fallback domain.
Furthermore, **UAT-11795** utilizes a previously undocumented PowerShell C2 framework named **WLDR**. This framework employs encrypted (PBKDF2-SHA256) beaconing and communications, operates entirely in memory, and ties payload delivery to each victim's unique hardware identifier.
### Defense and Mitigation
Organizations are strongly advised to leverage the indicators of compromise (**IoCs**) provided in the **Cisco Talos** report to defend against **UAT-11795** attacks.
Users should exercise extreme caution and avoid executing commands found online if their functionality is not fully understood. Crucially, all software should only be downloaded from confirmed official vendor portals to prevent falling victim to trojanized installers.