UAT-11795
Summary
Cisco Talos tracks UAT-11795 as a sophisticated Russian-speaking, financially motivated threat actor that has conducted a malware campaign against users in the United States and Europe since at least June 2025.
Talos reports that UAT-11795 uses ClickFix-style social engineering, weaponized HTA files, and trojanized installers for developer, IT administration, collaboration, and gaming software to deliver Starland RAT, WLDR agent, CastleStealer, and Remcos RAT.
Tags
- groups
- actors
- cybercrime
- financially motivated
- Russian-speaking ecosystem
- ClickFix
- trojanized installers
- Starland RAT
- WLDR agent
- CastleStealer
- Remcos RAT
- cryptocurrency theft
- credential theft
Why this matters
- The actor targets broad workstation populations rather than one vertical, including IT administrators and developers through lures such as MobaXterm and DBeaver installers.
- The campaign combines social engineering, installer trojanization, Python runtime abuse, PowerShell memory-resident C2, Telegram notification channels, and blockchain fallback C2.
- Starland can stage multiple follow-on payload formats, so an infection should be treated as interactive access and possible credential/wallet theft, not just a single stealer run.
- Talos' Russian-language artifact evidence supports a Russian-speaking operator assessment, but the public reporting frames the activity as financially motivated rather than state-directed.
Reported activity
June 2025 onward
- Talos says the actor has been active since at least June 2025, based on campaign telemetry and a private Telegram channel named
stuk komandacreated on June 5, 2025. - The campaign primarily affected the United States, with lower-volume potential impact in Germany, Romania, and Venezuela.
- UAT-11795 used trojanized installers for software categories that can reach privileged workstations: SSH / remote-desktop tooling, database clients, enterprise collaboration apps, and consumer gaming.
July 2026 Talos disclosure
- Talos publicly disclosed the cluster on July 16, 2026, naming Starland RAT and WLDR agent as novel tooling.
- The reported infection path starts with likely ClickFix social engineering that runs a remote HTA through
mshta.exe, drops a batch file, downloads a trojanized NSIS installer, and runs a Python loader disguised asLICENSE.txtwith bundledpythonw.exe. - The actor used Telegram bots for execution notifications and wallet inventory reports, then used Starland RAT to register victims, receive commands, and deploy follow-on payloads such as WLDR, CastleStealer, and Remcos.
Infrastructure and pivots
- Staging / PowerShell chain domains:
eorthopaedics[.]com,sastoro[.]com. - Shellcode / archive staging:
web-devtools[.]compaths including/starlandfox,/x32remka, and/dopfile. - HTA / trojanized-installer staging:
zynaris[.]io. - Starland C2 domains:
windowscreenrepairnearme[.]comandaipythondevs[.]com. - Polygon smart-contract fallback:
0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba. - Telegram bots reported by Talos:
8384531459/skuefq_botand7993597060/komandastuk_bot.
Defender notes
- Hunt for ClickFix-to-HTA execution chains: browser or shell launching
mshta.exe, user-profile temp batch files, and persistence underHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunvalueMyApppointing tomshta.exe. - Inventory recently downloaded installers named like
MobaXterm_v26.1.exe,WebEx_Client.exe, Zoom installers,dbeaver-ce-windows-x86_64.exe, orFaceitInstaller_x64.exewhen accompanied by bundledpythonw.exeand a suspiciousLICENSE.txtPython payload. - Treat execution of Starland, WLDR, CastleStealer, or Remcos in this chain as broad credential exposure: browser credentials, cryptocurrency wallets, Discord/Telegram sessions, Steam accounts, domain context, and source-control/admin access may all be in scope.
- Correlate outbound traffic to the reported domains with Telegram bot API access, Polygon JSON-RPC calls, and PowerShell C2 traffic with Chrome-like headers.