UAT-11795 deploys novel Starland RAT and bespoke WLDR C2 implant in financially motivated campaign

UAT-11795 deploys novel Starland RAT and bespoke WLDR C2 implant in financially motivated campaign
Cisco Talos is tracking UAT-11795, a Russian-speaking financially motivated actor running a multi-stage campaign that uses Starland RAT, WLDR agent, CastleStealer, and Remcos RAT to steal credentials and cryptocurrency assets from victims in the U.S. and Europe. The operation relies on trojanized installers, HTA/PowerShell loaders, Telegram bots, and even a Polygon smart contract fallback to keep C2 infrastructure resilient and victim-specific. #UAT-11795 #StarlandRAT #WLDRagent #CastleStealer #RemcosRAT #Telegram #Polygon

Keypoints

  • The campaign has been active since at least June 2025 and is attributed to UAT-11795, a Russian-speaking financially motivated adversary.
  • The actor targets users mainly in the United States, with additional observed impact in Germany, Romania, and Venezuela.
  • Initial access likely starts with ClickFix-style social engineering that launches a weaponized HTA file via mshta.exe.
  • Trojanized installers are used to deliver a Python loader that decrypts and runs Starland RAT in memory.
  • Starland RAT performs reconnaissance, steals browser and crypto-wallet data, maintains persistence, and can deliver additional payloads such as CastleStealer and Remcos RAT.
  • The actor also operates the WLDR PowerShell framework, which uses encrypted C2 communications, HWID-bound requests, and an in-memory agent with task queuing and Runspace execution.
  • Infrastructure includes staging domains, persistent C2 domains, Telegram bots, and a Polygon smart contract used as a fallback domain resolver.

MITRE Techniques

  • [T1204.004 ] User Execution: Malicious File – The victim is tricked into running a command or installer through ClickFix-style social engineering (‘entices the user to execute a command’ and ‘download and execute a remotely hosted weaponized HTA file’).
  • [T1218.005 ] System Binary Proxy Execution: Mshta – The weaponized HTA is executed through Microsoft HTML Application Host (‘on the victim’s machine, likely utilizing a ClickFix technique’ and ‘mshta.exe’).
  • [T1059.001 ] Command and Scripting Interpreter: PowerShell – PowerShell stages, loaders, and agents are used throughout the infection chain (‘download and execute additional PowerShell script payloads’ and ‘PowerShell C2 memory implant’).
  • [T1059.005 ] Command and Scripting Interpreter: Visual Basic – The HTA file runs embedded VBScript to drop files and set persistence (‘the HTA file runs an embedded VBScript’).
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence is established through HKCU Run key and Startup folder LNK (‘establishes persistence under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”‘ and ‘a secondary Startup folder LNK shortcut is created’).
  • [T1105 ] Ingress Tool Transfer – Payloads, shellcode, and archives are downloaded from attacker-controlled servers (‘downloads and executes trojanized installers’ and ‘downloads the payload file to the “%TEMP%” folder’).
  • [T1027 ] Obfuscated Files or Information – Python and PowerShell payloads are obfuscated and encrypted (‘compiled Python loader is disguised as a license file’ and ‘heavily obfuscated’).
  • [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Payloads and C2 data are XOR/Base64 encrypted (‘XOR decryption using the XOR key 198’ and ‘XOR encrypts it, Base64-encodes it’).
  • [T1055 ] Process Injection – The campaign injects and executes payloads in memory using APC and reflective techniques (‘staged using the asynchronous procedure call (APC), process injection technique’ and ‘reflective PE injection technique’).
  • [T1216 ] System Script Proxy Execution – The actor uses HTA/VBScript and scripted loaders to proxy execution (‘weaponized HTA file’ and ‘NSIS script … execute the malicious byte-compiled Python code’).
  • [T1057 ] Process Discovery – The malware collects host and domain information as part of reconnaissance (‘whoami && systeminfo && net user {USERNAME} /dom && nltest /dclist’).
  • [T1082 ] System Information Discovery – Host OS, RAM, CPU, AV, and build details are collected (‘gathering information on antivirus products, network adapter configurations, OS version and build, domain membership’).
  • [T1016 ] System Network Configuration Discovery – Network adapter and related host configuration are gathered (‘network adapter configurations’).
  • [T1033 ] System Owner/User Discovery – The malware checks usernames and computer names for anti-analysis and profiling (‘compares the logged-on username’ and ‘verifies the victim’s computer name’).
  • [T1113 ] Screen Capture – The RAT captures a screenshot of the desktop and stages it for exfiltration (‘captures a screenshot of the victim machine’s desktop’).
  • [T1555 ] Credentials from Password Stores – Browser data and credentials are harvested from browsers and wallets (‘steal browser data and cryptocurrency wallets’ and ‘direct SQLite database access’).
  • [T1112 ] Modify Registry – The VBScript writes a Run key for persistence (‘establishes persistence under “HKCUSoftwareMicrosoftWindowsCurrentVersionRun”‘).
  • [T1021.001 ] Remote Services: Remote Desktop Protocol – The trojanized MobaXterm lure targets remote administration workflows (‘SSH, remote desktop, and network administration terminal’).

Indicators of Compromise

  • [Domains ] staging and C2 infrastructure – eorthopaedics[.]com, web-devtools[.]com, zynaris[.]io, and 2 more domains
  • [Domains ] primary Starland RAT and fallback infrastructure – windowscreenrepairnearme[.]com, aipythondevs[.]com
  • [Domains ] public blockchain and IP service used for fallback and reporting – polygon-rpc[.]com, api64.ipify[.]org
  • [Telegram bots ] execution notifications and wallet telemetry – 8384531459 (skuefq_bot), 7993597060 (komandastuk_bot)
  • [Telegram channel ] actor-controlled live channel – stuk komanda
  • [Polygon smart contract ] fallback C2 resolution contract – 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba
  • [File names ] trojanized installer lures and embedded components – MobaXterm_v26.1.exe, WebEx_Client.exe, LICENSE.txt
  • [Paths ] malicious staging and payload paths on compromised domains – /feed/, /alpha/, /starlandfox, and /x32remka
  • [Registry key ] persistence location – HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • [User agents ] masquerading browser traffic – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36, Chrome 124-like headers
  • [Hashes / encryption artifacts ] embedded keys and identifiers used in the payloads – XOR key 198 (0xC6), helo1, odg5t8mvssvh, and $m7*rYpry3
  • [Network indicators ] protocol and selectors used in C2/fallback activity – HTTP POST, HTTP GET, eth_call, and JSON-RPC selector 0xc659f3b8


Read more: https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/