Skip to content

UAT-11795

Summary

Cisco Talos tracks UAT-11795 as a sophisticated Russian-speaking, financially motivated threat actor that has conducted a malware campaign against users in the United States and Europe since at least June 2025.

Talos reports that UAT-11795 uses ClickFix-style social engineering, weaponized HTA files, and trojanized installers for developer, IT administration, collaboration, and gaming software to deliver Starland RAT, WLDR agent, CastleStealer, and Remcos RAT.

Tags

Why this matters

  • The actor targets broad workstation populations rather than one vertical, including IT administrators and developers through lures such as MobaXterm and DBeaver installers.
  • The campaign combines social engineering, installer trojanization, Python runtime abuse, PowerShell memory-resident C2, Telegram notification channels, and blockchain fallback C2.
  • Starland can stage multiple follow-on payload formats, so an infection should be treated as interactive access and possible credential/wallet theft, not just a single stealer run.
  • Talos' Russian-language artifact evidence supports a Russian-speaking operator assessment, but the public reporting frames the activity as financially motivated rather than state-directed.

Reported activity

June 2025 onward

  • Talos says the actor has been active since at least June 2025, based on campaign telemetry and a private Telegram channel named stuk komanda created on June 5, 2025.
  • The campaign primarily affected the United States, with lower-volume potential impact in Germany, Romania, and Venezuela.
  • UAT-11795 used trojanized installers for software categories that can reach privileged workstations: SSH / remote-desktop tooling, database clients, enterprise collaboration apps, and consumer gaming.

July 2026 Talos disclosure

  • Talos publicly disclosed the cluster on July 16, 2026, naming Starland RAT and WLDR agent as novel tooling.
  • The reported infection path starts with likely ClickFix social engineering that runs a remote HTA through mshta.exe, drops a batch file, downloads a trojanized NSIS installer, and runs a Python loader disguised as LICENSE.txt with bundled pythonw.exe.
  • The actor used Telegram bots for execution notifications and wallet inventory reports, then used Starland RAT to register victims, receive commands, and deploy follow-on payloads such as WLDR, CastleStealer, and Remcos.

Infrastructure and pivots

  • Staging / PowerShell chain domains: eorthopaedics[.]com, sastoro[.]com.
  • Shellcode / archive staging: web-devtools[.]com paths including /starlandfox, /x32remka, and /dopfile.
  • HTA / trojanized-installer staging: zynaris[.]io.
  • Starland C2 domains: windowscreenrepairnearme[.]com and aipythondevs[.]com.
  • Polygon smart-contract fallback: 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba.
  • Telegram bots reported by Talos: 8384531459 / skuefq_bot and 7993597060 / komandastuk_bot.

Defender notes

  • Hunt for ClickFix-to-HTA execution chains: browser or shell launching mshta.exe, user-profile temp batch files, and persistence under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run value MyApp pointing to mshta.exe.
  • Inventory recently downloaded installers named like MobaXterm_v26.1.exe, WebEx_Client.exe, Zoom installers, dbeaver-ce-windows-x86_64.exe, or FaceitInstaller_x64.exe when accompanied by bundled pythonw.exe and a suspicious LICENSE.txt Python payload.
  • Treat execution of Starland, WLDR, CastleStealer, or Remcos in this chain as broad credential exposure: browser credentials, cryptocurrency wallets, Discord/Telegram sessions, Steam accounts, domain context, and source-control/admin access may all be in scope.
  • Correlate outbound traffic to the reported domains with Telegram bot API access, Polygon JSON-RPC calls, and PowerShell C2 traffic with Chrome-like headers.

Sources