Securityaffairs.Co
Russian Hackers Deploy Starland RAT via Trojans in WebEx and Zoom Installers
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A Russian threat actor, UAT-11795, has been distributing trojanized installers for software like WebEx and Zoom to deploy the Starland RAT since at least June 2025. The malware targets users primarily in the U.S., with some victims in Germany, Romania, and Venezuela. The attack vector involves an HTA file that retrieves a trojanized NSIS installer, which contains a Python loader disguised as a text file. Once executed, Starland RAT establishes persistence and can capture sensitive data, including browser credentials and cryptocurrency wallet information. The campaign also utilizes a previously undocumented PowerShell C2 framework called WLDR, which operates entirely in memory. Cisco Talos has provided indicators of compromise (IoCs) for organizations to defend against these attacks. Security teams are advised to download software only from official sources and to be cautious with online commands.
Key Points: • UAT-11795 uses trojanized installers for legitimate software to deliver Starland RAT. • The malware targets users in the U.S. and Europe, stealing sensitive data like cryptocurrency credentials. • Cisco Talos has published IoCs to help organizations defend against these attacks.