UAT-11795 Deploys Starland RAT and WLDR Agent via Trojanized Software
UAT-11795, a sophisticated and financially motivated Russian-speaking threat actor, targets users in the U.S. and Europe with trojanized software installers to deploy custom Python-based Starland RAT and an in-memory PowerShell WLDR agent for credential theft and cryptocurrency exfiltration.
Cisco Talos has disclosed details of a new campaign by UAT-11795, a sophisticated, financially motivated Russian-speaking adversary that has been active since at least June 2025. This threat actor targets individuals and organizations in the U.S. and Europe, leveraging trojanized software installers for popular applications such as Webex, Zoom, and MobaXterm to establish initial access. The primary payload is a custom Python-based remote access tool (RAT) dubbed "Starland RAT," which serves as a gateway for deploying further malicious implants. Notably, UAT-11795 deploys a bespoke, in-memory PowerShell command-and-control (C2) agent tracked as the "WLDR agent." The group employs highly evasive techniques, including AMSI and ETW bypasses, and utilizes a unique blockchain-anchored fallback mechanism to maintain persistent C2 communications. Once a foothold is established, UAT-11795 quickly deploys secondary payloads like CastleStealer and Remcos RAT to steal credentials and cryptocurrency assets.
Attack Chain
- Initial Access: UAT-11795 distributes trojanized software installers for popular applications, including Webex, Zoom, and MobaXterm. Victims are lured into downloading and executing these compromised installers, often through social engineering or unofficial download sources.
- Payload Delivery: Upon execution, the trojanized installer deploys "Starland RAT," a custom Python-based remote access tool, onto the victim's system.
- Command and Control Establishment: Starland RAT establishes initial command and control, acting as a primary gateway for further malicious activities and payload delivery.
- Secondary Payload Deployment: The actor deploys a bespoke, in-memory PowerShell C2 implant known as the "WLDR agent," which operates directly in memory to evade detection.
- Defense Evasion & Resilient C2: UAT-11795 employs advanced evasive techniques such as AMSI and ETW bypasses to hinder security analysis. They also establish a blockchain-anchored fallback mechanism to ensure persistent command and control, even if primary channels are disrupted.
- Credential Access: Secondary payloads, including CastleStealer and Remcos RAT, are deployed to siphon high-value credentials from the compromised system.
- Data Exfiltration: The final objective involves exfiltrating stolen credentials and cryptocurrency assets from the victim's environment, leading to financial gain for the adversary.
Impact
This opportunistic campaign casts a wide net across multiple victim profiles, turning a simple software download into a full-blown compromise for individuals and corporate entities alike in the U.S. and Europe. Attackers are financially motivated, deploying secondary payloads like CastleStealer and Remcos RAT to siphon high-value credentials and cryptocurrency assets from victims. Successful compromise leads to significant data theft, potential financial loss, and sustained unauthorized access through persistent command and control mechanisms, posing a severe risk to affected organizations and individuals.
Recommendation
- Deploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect suspicious activity.
- Educate your users on social engineering tactics and the dangers of unofficial software downloads to prevent initial access by UAT-11795 via trojanized installers.
- Monitor for suspicious execution of
mshta.exeand unusual PowerShell activity, particularly scripts executing from memory, using the provided Sigma rules to detect execution and defense evasion techniques. - Ensure endpoint detection solutions are tuned to catch AMSI tampering and in-memory execution, indicators of UAT-11795's defense evasion.
Detection coverage 2
Detect Suspicious Mshta.exe Execution
highDetects suspicious execution of mshta.exe, often used by adversaries for arbitrary code execution, especially for fetching and executing remote scripts or HTA files.
Detect Suspicious PowerShell In-Memory or Encoded Commands
highDetects common indicators of suspicious PowerShell activity, including the use of encoded commands or techniques often associated with in-memory execution, as seen in campaigns like UAT-11795.
Detection queries are available on the platform. Get full rules →