Ethical Hacking News
A new Russian-speaking threat actor, UAT-11795, has been running a malware campaign against users in the US and Europe since June 2025. The operation distributes trojanized installers for popular software like Zoom, Webex, and MobaXterm, delivering two newly documented malware families: Starland RAT and WLDR agent. This article provides an in-depth look at the UAT-11795 campaign and its implications for cybersecurity.
Russian-speaking threat actor UAT-11795 has been running a malware campaign against users in the US and Europe since at least June 2025. The campaign distributes trojanized installers for popular software, including MobaXterm, Cisco Webex, and Zoom. Two new malware families, Starland RAT and WLDR agent, have been documented, demonstrating the sophistication of modern threat actors. The attackers used social engineering techniques to trick victims into running malicious code. The malware checks for sandbox environments before establishing persistence on the victim's computer. The RAT sends registration data to a hardcoded C2 domain and has a blockchain-anchored fallback mechanism as a backup.
Russian-speaking threat actor UAT-11795 has been running a malware campaign against users in the United States and Europe since at least June 2025. The operation distributes trojanized installers for software that IT professionals and developers actually use: MobaXterm, Cisco Webex, Zoom, DBeaver, and even the gaming platform FACEIT.
The wide range of targets, from developer tools and business collaboration software to gaming platforms, suggests the attackers are trying to infect many different types of users instead of focusing on a single industry. The campaign delivers two newly documented malware families: Starland RAT and WLDR agent. Starland RAT is a Python-based remote access tool with credential theft and cryptocurrency wallet enumeration built in. It uses a single-byte XOR key and runs entirely in memory, while WLDR is a PowerShell-based command-and-control implant that operates entirely in memory.
Initial access appears to come through a ClickFix social engineering technique, where the victim is tricked into running a command that downloads and executes a malicious HTA file silently. The attackers used fake installers built using the Nullsoft Scriptable Install System to package a real Python runtime alongside a compiled Python loader disguised as a file named LICENSE.txt. They also deployed CastleStealer and Remcos RAT as additional payloads delivered through Starland after initial compromise.
The trojanized installers check whether they're running in a sandbox by comparing the logged-on username against a hardcoded list of known sandbox service accounts, including WDAGUtilityAccount. If any match, execution is terminated immediately. The RAT also verifies the victim's computer name against a list of hostnames from recognized sandbox environments.
After clearing those checks, the RAT establishes persistence before making any network calls, creating a scheduled task with a randomized name following the pattern PythonLauncher-{3 random characters} and a Startup folder shortcut as a secondary mechanism. It runs reconnaissance: hardware ID derived from the C: drive volume serial number, total RAM, installed antivirus, and Active Directory membership.
The C2 design is worth calling out. The RAT sends victim registration data to a hardcoded primary C2 domain, but if that fails, it uses a Polygon Ethereum smart contract as a backup. If the primary C2 registration fails, the RAT enables a blockchain-anchored fallback mechanism. An eth_call is triggered via JSON-RPC to the public Polygon RPC endpoint targeting the smart contract and function selector.
When Starland receives a shellexecute command from the C2, the actor can use it to deploy the WLDR framework in three stages: a heavily obfuscated PowerShell stager, a downloader that fetches victim-specific payloads bound to the machine's hardware ID, and the WLDR agent itself. The WLDR agent is a fully featured PowerShell remote access client that operates entirely in memory.
Both Starland RAT and WLDR are novel malware families developed by UAT-11795. They demonstrate the sophistication and adaptability of modern threat actors. This campaign serves as a reminder to always be cautious when installing software from unknown sources and to regularly update our systems with the latest security patches.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Russian-Campaign-Uses-Fake-Webex-and-Zoom-Installers-to-Deploy-Starland-RAT-ehn.shtml
https://securityaffairs.com/195532/malware/new-russian-campaign-uses-fake-webex-and-zoom-installers-to-deploy-starland-rat.html
Published: Fri Jul 17 05:22:57 2026 by llama3.2 3B Q4_K_M