News Date: 2026-07-16
Cybercriminals are exploiting confidence in familiar business software by distributing trojanized installers for popular communication and administration tools. The operation, attributed to a financially motivated Russian threat actor tracked as UAT-11795, has primarily targeted users in the United States, with additional victims observed in Germany, Romania, and Venezuela.
A Layered Windows Infection Chain
The malicious packages imitate legitimate installers for WebEx, Zoom, MobaXterm, DBeaver, and FaceIT. Researchers have not confirmed exactly how victims reach the files, although the campaign may use ClickFix-style social engineering that persuades users to execute commands or installation steps presented as technical repairs.
Once launched, the chain uses an HTA file and a modified NSIS installer containing a Python loader disguised as a license document. The loader changes the Windows Registry for persistence before decrypting and starting Starland RAT. The malware can create scheduled tasks, place components in the Startup folder, assess whether it is running inside a security sandbox, and attempt to obtain higher privileges.
Credentials and Cryptocurrency Are Prime Targets
Starland RAT collects browser information, system details, Active Directory data, screenshots, and cryptocurrency assets associated with more than 40 desktop and browser-extension wallets. It can also execute commands, inject shellcode, and retrieve additional payloads. Observed infections delivered CastleStealer on 64-bit systems and Remcos RAT through a separate 32-bit chain.
The command infrastructure includes a notable resilience feature. If the primary server cannot be reached, the malware can query a Polygon blockchain smart contract for an encrypted fallback domain. The attackers also use an in-memory PowerShell command framework called WLDR, making conventional file-based detection less dependable.
What Organizations Should Do
- Restrict software installation to approved vendor portals and managed deployment services.
- Monitor HTA execution, suspicious PowerShell activity, new scheduled tasks, and unexpected Startup folder changes.
- Use application control to block unapproved installers and script interpreters.
- Review browser, cryptocurrency, messaging, and domain credentials after a suspected infection.
In my view, the most important lesson is that a recognizable application name is no longer a meaningful trust signal. Organizations need to verify the origin, signature, and hash of software before execution, while reducing the ability of ordinary users to install unmanaged packages.
