Russian Hackers Deploy Starland RAT via Trojans in WebEx and Zoom Installers

Russian Hackers Deploy Starland RAT via Trojans in WebEx and Zoom Installers

First seen 17 Jul 2026, 10:24 UTC BleepingcomputerSecurityaffairs.Co 79% similarity 77.0

Article Content

Browse articles
ThreatCluster

A Russian threat actor, UAT-11795, has been distributing trojanized installers for software like WebEx and Zoom to deploy the Starland RAT since at least June 2025. The malware targets users primarily in the U.S., with some victims in Germany, Romania, and Venezuela. The attack vector involves an HTA file that retrieves a trojanized NSIS installer, which contains a Python loader disguised as a text file. Once executed, Starland RAT establishes persistence and can capture sensitive data, including browser credentials and cryptocurrency wallet information. The campaign also utilizes a previously undocumented PowerShell C2 framework called WLDR, which operates entirely in memory. Cisco Talos has provided indicators of compromise (IoCs) for organizations to defend against these attacks. Security teams are advised to download software only from official sources and to be cautious with online commands.

Key Points: • UAT-11795 uses trojanized installers for legitimate software to deliver Starland RAT. • The malware targets users in the U.S. and Europe, stealing sensitive data like cryptocurrency credentials. • Cisco Talos has published IoCs to help organizations defend against these attacks.

ThreatCluster AI

Timeline

2025-06-01
Trojanized installers first observed
UAT-11795 began distributing trojanized installers for software like WebEx and Zoom targeting users in the U.S. and Europe.
Bleepingcomputer
2025-06-15
Starland RAT deployment confirmed
Researchers confirmed that the Starland RAT was being deployed through the trojanized installers.
Bleepingcomputer
2026-07-16
Cisco Talos report published
Cisco Talos published a detailed report on UAT-11795, outlining the attack methods and IoCs.
Bleepingcomputer
2026-07-17
Security Affairs coverage released
Security Affairs reported on the ongoing campaign and the use of fake installers to deploy the malware.
Securityaffairs.Co

Community

Browse all →