Cisco Talos Identifies UAT-11795 as a New Russian-Speaking Threat Actor Deploying Bespoke Malware to Target Western Financial Assets

Security researchers at Cisco Talos have documented the emergence of a sophisticated Russian-speaking threat actor, currently tracked under the temporary identifier UAT-11795, which has been aggressively targeting organizations and individuals across the United States and Europe. Since at least June 2023, this group has demonstrated a high degree of technical proficiency, utilizing a combination of novel malware strains, social engineering tactics, and decentralized infrastructure to facilitate the theft of sensitive credentials and cryptocurrency assets. The campaign represents a significant shift in the threat landscape, as the attackers prioritize the exploitation of human psychology and the integrity of trusted software over the traditional exploitation of unpatched software vulnerabilities.
The discovery of UAT-11795 underscores the evolving nature of financially motivated cybercrime. By leveraging trojanized versions of widely used professional software—including Zoom, WebEx, and MobaXterm—the group has managed to bypass traditional perimeter defenses that rely on the reputation of legitimate applications. The campaign’s reliance on bespoke tools, specifically the Starland remote access trojan (RAT) and the WLDR command-and-control (C2) agent, suggests a well-resourced operation capable of developing and maintaining its own proprietary malicious code.
Chronology and Historical Context of UAT-11795 Operations
The activities of UAT-11795 can be traced back to the summer of 2023. Cisco Talos researchers first identified the group’s infrastructure in June 2023, coinciding with the creation of a private Telegram channel named "stuk komanda." This channel, which remains active with a small number of subscribers, is believed to be a central coordination hub or a log-dumping ground for the threat actors. The timing of this infrastructure setup suggests a deliberate and planned expansion into Western markets, moving beyond localized or regional operations.
Throughout the latter half of 2023 and into early 2024, the group refined its delivery mechanisms. Initially focusing on basic credential harvesting, the actor quickly transitioned to more complex payloads designed for persistent access and deep-system exploitation. By early 2024, the campaign had matured into a multi-stage infection process involving the "ClickFix" social engineering technique. This method has become a hallmark of the group’s operations, allowing them to gain initial access by tricking users into executing malicious commands under the guise of fixing browser errors or software glitches.
The Mechanics of Initial Access: The ClickFix Strategy
UAT-11795 utilizes a highly effective social engineering tactic known as ClickFix. This technique involves compromising or creating websites that display fake error messages to the visitor. These messages typically claim that a browser component has failed or that a specific font or update is required to view the page correctly. To "fix" the issue, the user is prompted to copy a specific string of code into their Windows PowerShell terminal or Command Prompt.
When a user follows these instructions, they inadvertently execute a command that initiates the download of a weaponized HTML Application (HTA) file from a remote, attacker-controlled server. This HTA file serves as the primary downloader for the rest of the infection chain. Once executed, the HTA file runs an embedded VBScript, which in turn drops a Windows batch file into the user profile’s temporary application folder. This batch file is the final stage of the delivery process, tasked with downloading and installing a trojanized version of a legitimate software installer.
By masquerading as common tools like MobaXterm, WebEx, Zoom, DBeaver, or the gaming platform FaceIT, the attackers exploit the inherent trust users place in professional productivity software. Because these installers are often digitally signed or appear identical to the legitimate versions, they frequently evade detection by basic endpoint protection platforms (EPP) that are not configured to perform deep behavioral analysis of "known-good" applications.
Technical Profile of Starland RAT and WLDR Agent
A central component of the UAT-11795 arsenal is the Starland RAT, a previously undocumented remote access tool written in Python. Starland is designed for comprehensive system surveillance and data exfiltration. Its capabilities include the ability to capture keystrokes, take screenshots, manage files on the victim’s machine, and execute arbitrary commands. Perhaps most importantly, Starland is specifically configured to scan for and exfiltrate data related to cryptocurrency wallets and browser-stored credentials.
Working in tandem with Starland is the WLDR agent, a PowerShell-based C2 memory implant. The WLDR agent represents a higher level of stealth, as it is designed to run entirely in-memory, leaving no traces on the physical disk of the infected machine. This "fileless" approach makes detection significantly more difficult for traditional antivirus solutions. Key features of the WLDR agent include:
- Encrypted Beaconing: Communication between the infected host and the C2 server is encrypted, masking the nature of the traffic from network monitoring tools.
- Task Queuing: The agent can receive and queue multiple tasks from the attacker, allowing for asynchronous operations and reduced network noise.
- Runspace Execution Engine: This engine allows the agent to execute additional PowerShell payloads within a separate thread, providing a modular architecture for expanding the attack’s capabilities.
Blockchain Integration and Command-and-Control Fallbacks
In a demonstration of technical ingenuity, UAT-11795 has integrated blockchain technology into its command-and-control infrastructure. Cisco Talos discovered that the group utilizes a smart contract on the Polygon (MATIC) network as a fallback C2 channel. By embedding C2 instructions or server addresses within a smart contract, the threat actors ensure that even if their primary domains are seized or blocked by security vendors, the infected machines can still receive new instructions by querying the decentralized ledger.
This use of Web3 infrastructure presents a unique challenge for defenders. Unlike traditional domains, which can be taken down by registrars or hosting providers, a smart contract on a public blockchain is immutable and permanent. This provides UAT-11795 with a highly resilient infrastructure that is virtually impossible to dismantle through conventional legal or technical means.
Victimology and Global Reach
While UAT-11795 is a Russian-speaking entity, its target demographic is distinctly international. According to Cisco Talos, the majority of identified infections have occurred within the United States. However, significant activity has also been observed in Germany and Romania, indicating a concerted effort to target the financial hubs of the West. Additionally, victims have been identified in Venezuela, suggesting that the group’s reach extends to regions with high cryptocurrency adoption rates.
The focus on professional software like Zoom and WebEx suggests that the attackers are primarily interested in corporate environments and high-value individual targets. By compromising the tools used for remote work and financial management, the group can gain access to corporate secrets, internal communications, and significant financial assets.
Industry Expert Responses and Strategic Analysis
The emergence of UAT-11795 has prompted warnings from across the cybersecurity industry. Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, emphasized the psychological nature of the threat. "By hiding the Starland RAT inside trusted software and likely utilizing deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities," Patel noted. He highlighted that the campaign targets the very tools that remote and hybrid workers rely on daily, making the deception particularly effective.
Gabrielle Hempel, a security operations strategist at Exabeam, suggested that this campaign requires a fundamental shift in how organizations approach vulnerability management. "We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems," Hempel explained. She argued that the critical question for modern security programs is no longer just "is this CVE patched?" but rather "where did this binary come from?"
Hempel also warned against the false sense of security provided by signed installers. The fact that an installer is signed does not guarantee its safety if the signing certificate itself has been compromised or if the malicious code was injected into a legitimate package.
Broader Impact and Defensive Recommendations
The rise of UAT-11795 reflects a broader trend in the cybercrime ecosystem toward "malware-free" or "living-off-the-land" adjacent strategies. By using legitimate-looking installers and in-memory implants, threat actors reduce their visibility and increase the longevity of their campaigns. The integration of blockchain technology further complicates the task of incident response and infrastructure takedown.
To defend against UAT-11795 and similar threats, cybersecurity experts recommend a multi-layered approach:
- Binary Provenance and Verification: Organizations must implement strict controls over software installation, ensuring that all binaries are sourced directly from official vendor portals and verified against known hashes.
- Behavioral Monitoring: Since traditional signatures are ineffective against bespoke or in-memory malware, security teams should prioritize Endpoint Detection and Response (EDR) solutions that monitor for suspicious behaviors, such as unexpected PowerShell execution or unauthorized memory modifications.
- User Awareness Training: Education remains a critical defense. Users must be trained to recognize the signs of ClickFix social engineering and understand that legitimate technical support will never ask them to copy and paste code into a terminal to fix a browser error.
- Network Segmentation: Restricting the movement of data and the communication capabilities of workstations can limit the impact of a successful infection, preventing the exfiltration of credentials or the lateral movement of the RAT.
As UAT-11795 continues to refine its tactics, the cybersecurity community must remain vigilant. The group’s ability to blend sophisticated technical tools with simple yet effective psychological manipulation makes them a formidable adversary in the ongoing battle for digital and financial security.






