Select a theme from the list.
Insights

From our experts

Latest
Sophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet CardsSophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemShark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyTrusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignMicrosoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationSonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingCritical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaAsyncAPI Package Breach Turns Trusted Build Pipelines Into a Malware Delivery SystemMicrosoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe GoalGlobal CMS Exploitation Wave Plants Webshells on Business WebsitesExposed Attack Server Unmasks Three Microsoft 365 Phishing OperationsMicrosoft Prepares Windows Customers for a Faster Era of AI-Driven PatchingLaser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards
Security Insight

Trusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware Campaign

Trusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware Campaign
Photo by cottonbro studio on Pexels

A financially motivated Russian threat group is distributing modified installers that impersonate widely used applications such as WebEx, Zoom, MobaXterm, DBeaver, and FaceIT. The campaign deploys Starland RAT and additional malware capable of stealing credentials, cryptocurrency assets, messaging sessions, and Active Directory information.

News Date: 2026-07-16

Cybercriminals are exploiting confidence in familiar business software by distributing trojanized installers for popular communication and administration tools. The operation, attributed to a financially motivated Russian threat actor tracked as UAT-11795, has primarily targeted users in the United States, with additional victims observed in Germany, Romania, and Venezuela.

A Layered Windows Infection Chain

The malicious packages imitate legitimate installers for WebEx, Zoom, MobaXterm, DBeaver, and FaceIT. Researchers have not confirmed exactly how victims reach the files, although the campaign may use ClickFix-style social engineering that persuades users to execute commands or installation steps presented as technical repairs.

Once launched, the chain uses an HTA file and a modified NSIS installer containing a Python loader disguised as a license document. The loader changes the Windows Registry for persistence before decrypting and starting Starland RAT. The malware can create scheduled tasks, place components in the Startup folder, assess whether it is running inside a security sandbox, and attempt to obtain higher privileges.

Credentials and Cryptocurrency Are Prime Targets

Starland RAT collects browser information, system details, Active Directory data, screenshots, and cryptocurrency assets associated with more than 40 desktop and browser-extension wallets. It can also execute commands, inject shellcode, and retrieve additional payloads. Observed infections delivered CastleStealer on 64-bit systems and Remcos RAT through a separate 32-bit chain.

The command infrastructure includes a notable resilience feature. If the primary server cannot be reached, the malware can query a Polygon blockchain smart contract for an encrypted fallback domain. The attackers also use an in-memory PowerShell command framework called WLDR, making conventional file-based detection less dependable.

What Organizations Should Do

  • Restrict software installation to approved vendor portals and managed deployment services.
  • Monitor HTA execution, suspicious PowerShell activity, new scheduled tasks, and unexpected Startup folder changes.
  • Use application control to block unapproved installers and script interpreters.
  • Review browser, cryptocurrency, messaging, and domain credentials after a suspected infection.

In my view, the most important lesson is that a recognizable application name is no longer a meaningful trust signal. Organizations need to verify the origin, signature, and hash of software before execution, while reducing the ability of ordinary users to install unmanaged packages.

Talk to our team →

Latest

Sophos Fusion Recasts the Security Platform as an AI-Driven Defense SystemJul 16, 2026Shark Vacuum Cloud Weakness Turns One Device Certificate Into a Regional Master KeyJul 16, 2026Trusted Meeting Apps Become the Bait in a Multi-Layer Windows Malware CampaignJul 16, 2026Microsoft Makes Passkeys the Entra ID Default and Sets a Deadline for Native SMS AuthenticationJul 15, 2026SonicWall Zero-Days Under Active Attack Demand Immediate SMA1000 PatchingJul 15, 2026Critical Chrome and Firefox Updates Put Browser Restarts Back on the Security AgendaJul 15, 2026

Most read

1Global CMS Exploitation Wave Plants Webshells on Business Websites2Exposed Attack Server Unmasks Three Microsoft 365 Phishing Operations3Microsoft Expands AI-Led Security Hardening and Sets 2029 Quantum-Safe Goal4Microsoft Prepares Windows Customers for a Faster Era of AI-Driven Patching5Laser Attack Exposes an Unpatchable Weakness in Tangem Crypto Wallet Cards6Switzerland Mandates 24-Hour Cyberattack Reporting for Critical Sectors