UAT-11795 Threat Actor Targets US and European Organizations with Novel Starland RAT and WLDR Malware in Widespread Financial Campaigns

Cisco Talos has identified a sophisticated and highly aggressive Russian-speaking threat actor, currently tracked as UAT-11795, which has been conducting a series of cyberattacks targeting entities across the United States, Europe, and South America. Since at least June 2023, this group has leveraged a combination of social engineering tactics and bespoke malware to compromise systems, with the primary objective of stealing sensitive credentials and draining cryptocurrency assets. The campaign is notable for its use of trojanized installers for ubiquitous business and gaming software, effectively turning legitimate tools like Zoom, WebEx, and MobaXterm into delivery vehicles for malicious payloads.
The emergence of UAT-11795 highlights an ongoing shift in the cyber threat landscape, where attackers increasingly move away from the exploitation of software vulnerabilities toward the exploitation of human psychology and the abuse of trusted digital supply chains. By masquerading as necessary updates or essential administrative tools, the threat actor bypasses traditional perimeter defenses, establishing a foothold within corporate and personal environments alike.
The Evolution of the UAT-11795 Campaign
The activities of UAT-11795 were first observed in the summer of 2023, coinciding with the creation of a private Telegram channel titled "stuk komanda." This channel, which remains under the control of the threat actor, appears to serve as a coordination hub or a log for successful infections, though it currently maintains a very small number of subscribers. Over the past year, the group has refined its delivery methods, moving from simple malicious links to a complex multi-stage infection chain that utilizes the "ClickFix" social engineering technique.
While the group’s origins appear to be Russian-speaking, their reach is global. Data from Cisco Talos indicates that the vast majority of infections have occurred within the United States, suggesting a deliberate focus on high-value targets in North America. However, significant activity has also been detected in Germany and Romania, reflecting a broader interest in European infrastructure. Unexpectedly, Venezuela has also appeared in the group’s telemetry, indicating that while the group is geographically focused, its methods are opportunistic and capable of impacting any region where its trojanized software is downloaded.
Technical Analysis of the Malware Arsenal: Starland RAT and WLDR Agent
The hallmark of UAT-11795’s operations is the deployment of two previously undocumented malware strains: Starland RAT and the WLDR agent. These tools are designed to work in tandem, providing the attacker with both immediate data exfiltration capabilities and long-term persistence on the victim’s machine.
Starland RAT: The Python-Based Remote Access Tool
Starland RAT is a sophisticated remote access trojan (RAT) written in Python. Its primary function is to serve as a comprehensive surveillance and data theft tool. Once executed, it can perform a wide range of malicious actions, including:
- Credential Harvesting: Searching for and exfiltrating saved passwords from web browsers and local applications.
- Cryptocurrency Theft: Scanning the system for digital wallet files, browser extensions related to crypto-wallets, and private keys.
- Screen and Input Monitoring: Capturing screenshots and logging keystrokes to monitor user activity in real-time.
- File Management: Allowing the attacker to upload, download, and execute files on the infected host.
The use of Python for Starland RAT allows the threat actor to quickly modify the code to evade detection by signature-based antivirus solutions. By bundling the Python script with a legitimate-looking installer, the attacker ensures that the malware runs in the background without raising suspicion.
WLDR Agent: The Stealthy PowerShell Implant
While Starland RAT handles the heavy lifting of data theft, the WLDR agent acts as a stealthy, in-memory command-and-control (C2) implant. Developed in PowerShell, WLDR is designed to be "fileless," meaning it resides primarily in the system’s RAM rather than on the hard drive. This makes it significantly harder for traditional forensic tools to detect.
Key features of the WLDR agent include:
- Encrypted Beaconing: The agent communicates with the C2 server using encrypted traffic, making it difficult for network security tools to identify the communication as malicious.
- Task Queuing: It can receive and queue multiple commands from the attacker, executing them sequentially to avoid sudden spikes in system activity that might trigger alerts.
- Runspace Execution Engine: WLDR utilizes a specialized execution engine that allows it to run additional payloads—such as more advanced malware or lateral movement tools—directly in memory.
The Infection Chain: From ClickFix to Compromise
UAT-11795 employs a highly effective infection chain that relies on the "ClickFix" social engineering tactic. This method involves presenting the user with a deceptive prompt, often mimicking a browser error or a software update notification, that instructs the user to copy and execute a command in their terminal (such as PowerShell or the Windows Command Prompt) to "fix" the issue.
When the user executes the provided command, it initiates a series of events:
- HTA Execution: The command downloads and executes a remotely hosted, weaponized HTML Application (HTA) file.
- VBScript Deployment: The HTA file contains an embedded VBScript that executes upon opening.
- Batch File Implantation: The VBScript drops a Windows batch file into the user profile’s temporary application folder.
- Trojanized Installer Download: This batch file contains instructions to reach out to an attacker-controlled staging domain to download the final payload: a trojanized version of a legitimate software installer.
The software used in these attacks includes MobaXterm (a popular terminal for developers), Cisco WebEx, Zoom, DBeaver (a database management tool), and FaceIT (a gaming platform). By choosing tools used by both IT professionals and general consumers, UAT-11795 ensures a wide net of potential victims.
Resilient Infrastructure and Blockchain Fallback
One of the most technically interesting aspects of UAT-11795’s operation is its approach to infrastructure resilience. To prevent their C2 communications from being easily disrupted by domain take-downs, the group has implemented a fallback mechanism using a smart contract on the Polygon blockchain.
Blockchain-based C2 channels are an emerging trend in cybercrime. Because the blockchain is decentralized and immutable, it is nearly impossible for law enforcement or security researchers to "shut down" a smart contract. If the primary C2 domains used by Starland RAT or WLDR are blocked, the malware can query the Polygon smart contract to retrieve the address of a new, active C2 server. This ensures that the attackers maintain persistent access to their victims even in the face of active defensive measures.
Industry Reactions and Expert Analysis
The cybersecurity community has reacted with concern to the discovery of UAT-11795, particularly regarding the group’s ability to exploit the trust users place in everyday business applications.
Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, emphasized that this campaign targets the core of modern work environments. "This is the latest in a string of attacks by hackers using the very tools our remote and hybrid workers rely on," Patel noted. "By hiding the Starland RAT inside trusted software and likely utilizing deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities."
Gabrielle Hempel, security operations strategist at Exabeam, pointed out that the presence of a "signed installer" no longer guarantees safety. She argued that the UAT-11795 campaign necessitates a change in how organizations approach vulnerability management. "We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems," Hempel said. "If your security program can’t answer ‘where did this binary come from?’ as quickly as it can answer ‘is this CVE patched?’ then you are behind on your threat model."
Broader Impact and Implications for Global Cybersecurity
The rise of UAT-11795 reflects a broader professionalization of Russian-speaking cybercrime. The group’s ability to develop custom malware, manage complex social engineering campaigns, and utilize cutting-edge technology like blockchain for infrastructure resilience suggests a high level of resource and expertise.
For organizations, the implications are clear: technical controls alone are insufficient. While patching and firewall configurations remain essential, they cannot stop an employee from manually executing a command they believe is necessary to fix a work tool. This underscores the critical need for:
- Enhanced User Awareness: Training employees to recognize the "ClickFix" tactic and understand that legitimate software updates never require the manual execution of terminal commands.
- Endpoint Detection and Response (EDR): Implementing tools that can monitor for the "fileless" behavior exhibited by the WLDR agent and identify suspicious PowerShell activity.
- Strict Software Policies: Restricting the ability of non-administrative users to execute HTA files or download software from non-approved domains.
Chronology of UAT-11795 Activity
- June 2023: Initial creation of the "stuk komanda" Telegram channel and first reports of suspicious installers appearing on spoofed software domains.
- Late 2023: Increased activity targeting financial and gaming sectors in the US and Europe. The first iterations of the WLDR agent are identified in the wild.
- Early 2024: The group adopts the ClickFix social engineering technique, leading to a surge in successful infections.
- Mid-2024: Cisco Talos publishes a comprehensive analysis of the group, identifying the novel Starland RAT and the use of Polygon smart contracts for C2 fallback.
- Present: UAT-11795 remains active, with ongoing monitoring by global threat intelligence teams to identify new staging domains and evolving malware variants.
As the digital landscape continues to evolve, the case of UAT-11795 serves as a stark reminder that the human element remains the most vulnerable point in the security chain. The combination of custom-built malware and deceptive social engineering continues to provide a lucrative path for threat actors seeking to exploit organizations in the age of remote and hybrid work.







