Cisco Talos is tracking UAT-11795, a Russian-speaking financially motivated actor running a multi-stage campaign that uses Starland RAT, WLDR agent, CastleStealer, and Remcos RAT to steal credentials and cryptocurrency assets from victims in the U.S. and Europe. The operation relies on trojanized installers, HTA/PowerShell loaders, Telegram bots, and even a Polygon smart contract fallback to keep C2 infrastructure resilient and victim-specific. #UAT-11795 #StarlandRAT #WLDRagent #CastleStealer #RemcosRAT #Telegram #Polygon
Keypoints
- The campaign has been active since at least June 2025 and is attributed to UAT-11795, a Russian-speaking financially motivated adversary.
- The actor targets users mainly in the United States, with additional observed impact in Germany, Romania, and Venezuela.
- Initial access likely starts with ClickFix-style social engineering that launches a weaponized HTA file via mshta.exe.
- Trojanized installers are used to deliver a Python loader that decrypts and runs Starland RAT in memory.
- Starland RAT performs reconnaissance, steals browser and crypto-wallet data, maintains persistence, and can deliver additional payloads such as CastleStealer and Remcos RAT.
- The actor also operates the WLDR PowerShell framework, which uses encrypted C2 communications, HWID-bound requests, and an in-memory agent with task queuing and Runspace execution.
- Infrastructure includes staging domains, persistent C2 domains, Telegram bots, and a Polygon smart contract used as a fallback domain resolver.
MITRE Techniques
- [T1204.004 ] User Execution: Malicious File â The victim is tricked into running a command or installer through ClickFix-style social engineering (âentices the user to execute a commandâ and âdownload and execute a remotely hosted weaponized HTA fileâ).
- [T1218.005 ] System Binary Proxy Execution: Mshta â The weaponized HTA is executed through Microsoft HTML Application Host (âon the victimâs machine, likely utilizing a ClickFix techniqueâ and âmshta.exeâ).
- [T1059.001 ] Command and Scripting Interpreter: PowerShell â PowerShell stages, loaders, and agents are used throughout the infection chain (âdownload and execute additional PowerShell script payloadsâ and âPowerShell C2 memory implantâ).
- [T1059.005 ] Command and Scripting Interpreter: Visual Basic â The HTA file runs embedded VBScript to drop files and set persistence (âthe HTA file runs an embedded VBScriptâ).
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â Persistence is established through HKCU Run key and Startup folder LNK (âestablishes persistence under âHKCUSoftwareMicrosoftWindowsCurrentVersionRunââ and âa secondary Startup folder LNK shortcut is createdâ).
- [T1105 ] Ingress Tool Transfer â Payloads, shellcode, and archives are downloaded from attacker-controlled servers (âdownloads and executes trojanized installersâ and âdownloads the payload file to the â%TEMP%â folderâ).
- [T1027 ] Obfuscated Files or Information â Python and PowerShell payloads are obfuscated and encrypted (âcompiled Python loader is disguised as a license fileâ and âheavily obfuscatedâ).
- [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File â Payloads and C2 data are XOR/Base64 encrypted (âXOR decryption using the XOR key 198â and âXOR encrypts it, Base64-encodes itâ).
- [T1055 ] Process Injection â The campaign injects and executes payloads in memory using APC and reflective techniques (âstaged using the asynchronous procedure call (APC), process injection techniqueâ and âreflective PE injection techniqueâ).
- [T1216 ] System Script Proxy Execution â The actor uses HTA/VBScript and scripted loaders to proxy execution (âweaponized HTA fileâ and âNSIS script ⌠execute the malicious byte-compiled Python codeâ).
- [T1057 ] Process Discovery â The malware collects host and domain information as part of reconnaissance (âwhoami && systeminfo && net user {USERNAME} /dom && nltest /dclistâ).
- [T1082 ] System Information Discovery â Host OS, RAM, CPU, AV, and build details are collected (âgathering information on antivirus products, network adapter configurations, OS version and build, domain membershipâ).
- [T1016 ] System Network Configuration Discovery â Network adapter and related host configuration are gathered (ânetwork adapter configurationsâ).
- [T1033 ] System Owner/User Discovery â The malware checks usernames and computer names for anti-analysis and profiling (âcompares the logged-on usernameâ and âverifies the victimâs computer nameâ).
- [T1113 ] Screen Capture â The RAT captures a screenshot of the desktop and stages it for exfiltration (âcaptures a screenshot of the victim machineâs desktopâ).
- [T1555 ] Credentials from Password Stores â Browser data and credentials are harvested from browsers and wallets (âsteal browser data and cryptocurrency walletsâ and âdirect SQLite database accessâ).
- [T1112 ] Modify Registry â The VBScript writes a Run key for persistence (âestablishes persistence under âHKCUSoftwareMicrosoftWindowsCurrentVersionRunââ).
- [T1021.001 ] Remote Services: Remote Desktop Protocol â The trojanized MobaXterm lure targets remote administration workflows (âSSH, remote desktop, and network administration terminalâ).
Indicators of Compromise
- [Domains ] staging and C2 infrastructure â eorthopaedics[.]com, web-devtools[.]com, zynaris[.]io, and 2 more domains
- [Domains ] primary Starland RAT and fallback infrastructure â windowscreenrepairnearme[.]com, aipythondevs[.]com
- [Domains ] public blockchain and IP service used for fallback and reporting â polygon-rpc[.]com, api64.ipify[.]org
- [Telegram bots ] execution notifications and wallet telemetry â 8384531459 (skuefq_bot), 7993597060 (komandastuk_bot)
- [Telegram channel ] actor-controlled live channel â stuk komanda
- [Polygon smart contract ] fallback C2 resolution contract â 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba
- [File names ] trojanized installer lures and embedded components â MobaXterm_v26.1.exe, WebEx_Client.exe, LICENSE.txt
- [Paths ] malicious staging and payload paths on compromised domains â /feed/, /alpha/, /starlandfox, and /x32remka
- [Registry key ] persistence location â HKCUSoftwareMicrosoftWindowsCurrentVersionRun
- [User agents ] masquerading browser traffic â Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36, Chrome 124-like headers
- [Hashes / encryption artifacts ] embedded keys and identifiers used in the payloads â XOR key 198 (0xC6), helo1, odg5t8mvssvh, and $m7*rYpry3
- [Network indicators ] protocol and selectors used in C2/fallback activity â HTTP POST, HTTP GET, eth_call, and JSON-RPC selector 0xc659f3b8