Russian UAT-11795 Targets Users with Trojans in Legitimate Software

Russian UAT-11795 Targets Users with Trojans in Legitimate Software

First seen 17 Jul 2026, 10:24 UTC BleepingcomputerSecurityaffairs.CoGbhackersScworldwww.itpro.com 82% similarity 75.0

Article Content

Browse articles
ThreatCluster

A Russian threat actor known as UAT-11795 has been deploying the Starland RAT and WLDR agent since June 2025, primarily targeting users in the U.S., Germany, Romania, and Venezuela. The group uses trojanized installers for popular applications like WebEx and Zoom to steal credentials and cryptocurrency. Initial access is gained through social engineering tactics, tricking users into executing malicious HTA files. The malware establishes persistence by modifying the Windows Registry and employs a fallback command-and-control channel hidden within a Polygon smart contract. Cisco Talos has reported that the malware can capture screenshots, execute commands, and exfiltrate sensitive data. Organizations are advised to follow the indicators of compromise (IoCs) provided by Cisco Talos and to be cautious about software sources.

Key Points: • UAT-11795 uses trojanized installers for legitimate software to deploy malware. • The Starland RAT targets credentials and cryptocurrency across multiple countries. • Cisco Talos provides IoCs for organizations to defend against these attacks.

ThreatCluster AI

Timeline

2025-06-01
UAT-11795 campaign begins
The Russian threat actor starts deploying Starland RAT and WLDR agent using trojanized software installers.
Bleepingcomputer
2026-07-16
Cisco Talos reports on UAT-11795
Cisco Talos publishes a detailed analysis of UAT-11795's tactics and tools, including the Starland RAT.
Bleepingcomputer
2026-07-17
Multiple outlets report on UAT-11795
Various cybersecurity news outlets confirm the ongoing campaign and provide additional insights into the malware's capabilities.
Scworld
2026-07-17
Cisco Talos shares IoCs
Cisco Talos advises organizations to use the provided IoCs to defend against UAT-11795's attacks.
Bleepingcomputer

Community

Browse all →