Securityaffairs.Co
Russian UAT-11795 Targets Users with Trojans in Legitimate Software
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A Russian threat actor known as UAT-11795 has been deploying the Starland RAT and WLDR agent since June 2025, primarily targeting users in the U.S., Germany, Romania, and Venezuela. The group uses trojanized installers for popular applications like WebEx and Zoom to steal credentials and cryptocurrency. Initial access is gained through social engineering tactics, tricking users into executing malicious HTA files. The malware establishes persistence by modifying the Windows Registry and employs a fallback command-and-control channel hidden within a Polygon smart contract. Cisco Talos has reported that the malware can capture screenshots, execute commands, and exfiltrate sensitive data. Organizations are advised to follow the indicators of compromise (IoCs) provided by Cisco Talos and to be cautious about software sources.
Key Points: • UAT-11795 uses trojanized installers for legitimate software to deploy malware. • The Starland RAT targets credentials and cryptocurrency across multiple countries. • Cisco Talos provides IoCs for organizations to defend against these attacks.