[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fRUaMNjiSOqbRrPyyDfXiZl5qoXfYPqt7Hp4alpnOGRU":3},{"article":4,"iocs":54},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"c7b8d12a-ac2e-4f2b-a448-1d061bfa8c7b","Russian hackers trojanize WebEx, Zoom apps to push Starland malware","russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware-0bb78f","A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT. [...]","A financially motivated Russian threat actor (UAT-11795) has been distributing trojanized installers of legitimate software including WebEx, Zoom, MobaXterm, and DBeaver since June 2025 to deploy the Starland remote access trojan (RAT). Starland harvests credentials, cryptocurrency wallets, system details, and Active Directory information, while also delivering secondary payloads like CastleStealer info-stealer and Remcos RAT. The attack chain uses an HTA file, NSIS installer, Python loader, and a previously undocumented PowerShell C2 framework (WLDR) with redundancy mechanisms including Polygon blockchain smart contracts.","Russian threat actor UAT-11795 distributes Starland RAT via trojanized WebEx, Zoom installers.","Russian hackers trojanize WebEx, Zoom apps to push Starland malware By Bill Toulas July 16, 2026 06:19 AM 0 A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT. Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well. According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method. In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt). The loader modifies the Windows Registry to establish persistence and then decrypts and loads the Starland remote access trojan (RAT). When launched, Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence, and tries to increase its privileges. The malware looks for the following types of data on the compromised system: Browser data and cryptocurrency wallet assets, including more than 40 desktop and browser-extension wallets System details, including the HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges StarlandRAT can also capture screenshots of the victim’s desktop, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads (EXEs, MSIs, DLLs, ZIPs). In the observed attacks, the 64-bit shellcode chain delivers the CastleStealer info-stealer malware, while the 32-bit chain delivers the Remcos remote access trojan (RAT). CastleStealer targets browser credentials, cryptocurrency wallet information, Discord and Telegram sessions, Steam credentials, and filesystem files. Remcos RAT provides capabilities such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution. Overview of the UAT-11795 attack chainSource: Cisco Talos Cisco Talos highlights that the malware’s command-and-control (C2) communication has a redundancy mechanism if reaching the hardcoded address fails, which involves querying a Polygon smart contract with an XOR-encrypted fallback domain. Talos also discovered that UAT-11795 uses a previously undocumented PowerShell C2 framework called WLDR, which uses encrypted (PBKDF2-SHA256) beaconing and communications, operates entirely in memory, and binds payload delivery to each victim’s hardware identifier. To defend against UAT-11795 attacks, organizations should use the indicators of compromise IoCs in the Cisco Talos report. Users should avoid executing commands found online if they don’t understand what they do and should download software only from confirmed official vendor portals. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Ukraine's army targeted in new charity-themed malware campaignGreyVibe hackers use ChatGPT, Gemini to power cyberattacksRussian hackers turn Kazuar backdoor into modular P2P botnetGoogle Gemini CLI abused as a hacking agent, malware botnet operatorAsyncAPI npm packages infected with credential-stealing malware","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Frussian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F05\u002F05\u002Fhacker.jpg","2026-07-16T10:19:34+00:00","2026-07-16T12:00:15.308767+00:00",9,[18,21,24,27,29,31],{"name":19,"type":20},"UAT-11795","threat_actor",{"name":22,"type":23},"Cisco","vendor",{"name":25,"type":26},"WebEx","product",{"name":28,"type":26},"Zoom",{"name":30,"type":26},"MobaXterm",{"name":32,"type":26},"DBeaver","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44,49],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":50},{"id":51,"icon":35,"name":52,"slug":53},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[55,58,61,64],{"type":37,"value":56,"context":57},"Starland RAT","Remote access trojan deployed via trojanized software installers; harvests credentials, wallets, system data",{"type":37,"value":59,"context":60},"CastleStealer","Info-stealer malware delivered as 64-bit shellcode payload; targets browser credentials and wallet data",{"type":37,"value":62,"context":63},"Remcos RAT","Remote access trojan delivered as 32-bit shellcode payload; provides keylogging, webcam capture, command execution",{"type":37,"value":65,"context":66},"WLDR","Previously undocumented PowerShell C2 framework; uses PBKDF2-SHA256 encryption and operates in-memory"]