• 2 min read
Trojanized Zoom and WebEx apps spread Starland RAT
Cisco Talos says Russian threat actor UAT-11795 has used fake installers since June 2025 to steal credentials and crypto, mainly targeting U.S. users.

Image: BleepingComputer
A financially motivated Russian threat actor known as UAT-11795 has been using trojanized versions of WebEx, Zoom, MobaXterm, DBeaver, and FaceIT to deploy a new backdoor called Starland RAT, according to Cisco Talos. The campaign has been active since at least June 2025 and has primarily targeted users in the U.S., with additional victims observed in Germany, Romania, and Venezuela.
Talos could not confirm the initial infection vector, but researchers suspect the malicious files may be distributed through the ClickFix method. The attack begins with an HTA file that downloads a trojanized NSIS installer containing a Python loader disguised as LICENSE.txt. That loader modifies the Windows Registry for persistence, then decrypts and launches Starland RAT.
Once active, the malware checks for sandbox environments, creates scheduled tasks and Startup folder entries, and attempts to elevate privileges. Talos says it collects:
- Browser data and cryptocurrency wallet assets, including data from more than 40 desktop and browser-extension wallets
- System details such as HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
- Active Directory information, including domain structure, domain controllers, and victim domain privileges
Starland RAT can also take screenshots, run shell commands, inject 32-bit or 64-bit shellcode, and download extra payloads including EXEs, MSIs, DLLs, and ZIPs. In attacks observed by Talos, the 64-bit shellcode chain deployed CastleStealer, while the 32-bit chain delivered Remcos RAT.
CastleStealer targets browser credentials, crypto wallets, Discord and Telegram sessions, Steam credentials, and local files. Remcos RAT adds features such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.

Recommended reading
AI won’t replace penetration testers just yet
Talos also found resiliency in the malware’s command-and-control setup. If a hardcoded address fails, Starland can query a Polygon smart contract to retrieve an XOR-encrypted fallback domain. Researchers also identified a previously undocumented PowerShell C2 framework called WLDR, which uses PBKDF2-SHA256 encrypted beaconing, runs entirely in memory, and ties payload delivery to each victim’s hardware identifier.
Cisco Talos recommends that organizations use the indicators of compromise published in its report, while users should avoid running commands they do not understand and download software only from verified official vendor sites.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via BleepingComputer


