UAT-11795 is a financially motivated Russian threat actor using trojanized installers to deploy Starland RAT and steal credentials, cryptocurrency wallet data, and other sensitive information from victims. Cisco Talos reported attacks since June 2025, with U.S. users primarily targeted and additional victims seen in Germany, Romania, and Venezuela. #UAT-11795 #StarlandRAT #CiscoTalos #MobaXterm #WebEx #Zoom #DBeaver #FaceIT #CastleStealer #Remcos
Keypoints
- UAT-11795 is using trojanized software installers to spread Starland RAT.
- The campaign has been active since at least June 2025 and mainly targets users in the U.S.
- Trojanized installers for MobaXterm, WebEx, Zoom, DBeaver, and FaceIT are being used as delivery lures.
- Starland RAT steals browser data, cryptocurrency wallet assets, system details, and Active Directory information.
- The attack chain can also deliver CastleStealer and Remcos RAT for additional credential theft and remote control.