{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/mobatek/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UAT-11795"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Webex","Zoom","MobaXterm"],"_cs_severities":["high"],"_cs_tags":["financially-motivated","rat","c2","trojan","windows","python","powershell"],"_cs_type":"threat","_cs_vendors":["Cisco","Zoom Video Communications","Mobatek"],"content_html":"\u003cp\u003eCisco Talos has disclosed details of a new campaign by UAT-11795, a sophisticated, financially motivated Russian-speaking adversary that has been active since at least June 2025. This threat actor targets individuals and organizations in the U.S. and Europe, leveraging trojanized software installers for popular applications such as Webex, Zoom, and MobaXterm to establish initial access. The primary payload is a custom Python-based remote access tool (RAT) dubbed \u0026quot;Starland RAT,\u0026quot; which serves as a gateway for deploying further malicious implants. Notably, UAT-11795 deploys a bespoke, in-memory PowerShell command-and-control (C2) agent tracked as the \u0026quot;WLDR agent.\u0026quot; The group employs highly evasive techniques, including AMSI and ETW bypasses, and utilizes a unique blockchain-anchored fallback mechanism to maintain persistent C2 communications. Once a foothold is established, UAT-11795 quickly deploys secondary payloads like CastleStealer and Remcos RAT to steal credentials and cryptocurrency assets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: UAT-11795 distributes trojanized software installers for popular applications, including Webex, Zoom, and MobaXterm. Victims are lured into downloading and executing these compromised installers, often through social engineering or unofficial download sources.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePayload Delivery\u003c/strong\u003e: Upon execution, the trojanized installer deploys \u0026quot;Starland RAT,\u0026quot; a custom Python-based remote access tool, onto the victim's system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand and Control Establishment\u003c/strong\u003e: Starland RAT establishes initial command and control, acting as a primary gateway for further malicious activities and payload delivery.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eSecondary Payload Deployment\u003c/strong\u003e: The actor deploys a bespoke, in-memory PowerShell C2 implant known as the \u0026quot;WLDR agent,\u0026quot; which operates directly in memory to evade detection.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion \u0026amp; Resilient C2\u003c/strong\u003e: UAT-11795 employs advanced evasive techniques such as AMSI and ETW bypasses to hinder security analysis. They also establish a blockchain-anchored fallback mechanism to ensure persistent command and control, even if primary channels are disrupted.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access\u003c/strong\u003e: Secondary payloads, including CastleStealer and Remcos RAT, are deployed to siphon high-value credentials from the compromised system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration\u003c/strong\u003e: The final objective involves exfiltrating stolen credentials and cryptocurrency assets from the victim's environment, leading to financial gain for the adversary.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis opportunistic campaign casts a wide net across multiple victim profiles, turning a simple software download into a full-blown compromise for individuals and corporate entities alike in the U.S. and Europe. Attackers are financially motivated, deploying secondary payloads like CastleStealer and Remcos RAT to siphon high-value credentials and cryptocurrency assets from victims. Successful compromise leads to significant data theft, potential financial loss, and sustained unauthorized access through persistent command and control mechanisms, posing a severe risk to affected organizations and individuals.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune them for your environment to detect suspicious activity.\u003c/li\u003e\n\u003cli\u003eEducate your users on social engineering tactics and the dangers of unofficial software downloads to prevent initial access by UAT-11795 via trojanized installers.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious execution of \u003ccode\u003emshta.exe\u003c/code\u003e and unusual PowerShell activity, particularly scripts executing from memory, using the provided Sigma rules to detect execution and defense evasion techniques.\u003c/li\u003e\n\u003cli\u003eEnsure endpoint detection solutions are tuned to catch AMSI tampering and in-memory execution, indicators of UAT-11795's defense evasion.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T18:03:04Z","date_published":"2026-07-16T18:03:04Z","id":"https://feed.craftedsignal.io/briefs/2026-07-uat-11795-starland-rat/","summary":"UAT-11795, a sophisticated and financially motivated Russian-speaking threat actor, targets users in the U.S. and Europe with trojanized software installers to deploy custom Python-based Starland RAT and an in-memory PowerShell WLDR agent for credential theft and cryptocurrency exfiltration.","title":"UAT-11795 Deploys Starland RAT and WLDR Agent via Trojanized Software","url":"https://feed.craftedsignal.io/briefs/2026-07-uat-11795-starland-rat/"}],"language":"en","title":"CraftedSignal Threat Feed - Mobatek","version":"https://jsonfeed.org/version/1.1"}