Skip to content
Bleeping Computer

Russian hackers trojanize WebEx, Zoom apps to push Starland malware


A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.

Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well.

According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.

image

Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method.

In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt).

The loader modifies the Windows Registry to establish persistence and then decrypts and loads the Starland remote access trojan (RAT).

When launched, Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence, and tries to increase its privileges.

The malware looks for the following types of data on the compromised system:

  • Browser data and cryptocurrency wallet assets, including more than 40 desktop and browser-extension wallets
  • System details, including the HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
  • Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges

StarlandRAT can also capture screenshots of the victim’s desktop, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads (EXEs, MSIs, DLLs, ZIPs).

In the observed attacks, the 64-bit shellcode chain delivers the CastleStealer info-stealer malware, while the 32-bit chain delivers the Remcos remote access trojan (RAT).

CastleStealer targets browser credentials, cryptocurrency wallet information, Discord and Telegram sessions, Steam credentials, and filesystem files.

Remcos RAT provides capabilities such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.

Overview of the UAT-11795 attack chain
Overview of the UAT-11795 attack chain
Source: Cisco Talos

Cisco Talos highlights that the malware’s command-and-control (C2) communication has a redundancy mechanism if reaching the hardcoded address fails, which involves querying a Polygon smart contract with an XOR-encrypted fallback domain.

Talos also discovered that UAT-11795 uses a previously undocumented PowerShell C2 framework called WLDR, which uses encrypted (PBKDF2-SHA256) beaconing and communications, operates entirely in memory, and binds payload delivery to each victim’s hardware identifier.

To defend against UAT-11795 attacks, organizations should use the indicators of compromise IoCs in the Cisco Talos report.

Users should avoid executing commands found online if they don’t understand what they do and should download software only from confirmed official vendor portals.

article image

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper



Source link