Russian hackers use fake Webex and Zoom installers to deliver Starland RAT

Cisco Talos uncovered a Russian-speaking threat actor using trojanized installers to deliver Starland RAT and memory-only implants.

CSBadmin
2 Min Read

Cisco Talos researchers have disclosed UAT-11795, a financially motivated, Russian-speaking threat actor that has been distributing trojanized installers for popular software to deliver a new Python-based remote access tool called Starland RAT and a PowerShell memory-only implant called WLDR.

Since at least June 2025, the campaign has targeted users in the United States and Europe through fake installers for MobaXterm, Cisco Webex, Zoom, DBeaver, and the gaming platform FACEIT. The wide range of target applications suggests the attackers aim to infect a broad spectrum of users across industries.

The infection chain begins with a ClickFix social engineering technique that tricks victims into running a command that downloads a malicious HTA file. That file drops a Windows batch file and a trojanized installer, while establishing persistence through a Registry Run key. The trojanized installers package a real Python runtime alongside a compiled loader disguised as LICENSE.txt, which decrypts and runs Starland RAT in memory while the legitimate software installs normally.

Before activating, Starland RAT checks for sandbox environments by comparing usernames against known service accounts and checking computer names against analysis platform hostnames. Talos also observed the actor deploying CastleStealer and Remcos RAT as additional payloads after initial compromise.

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.