Starland RAT Campaign Exposes a New Financial Malware: Cisco Talos Tracks UAT-11795’s Global Attack Network + Video

Listen to this Post

Featured ImageIntroduction: A Malware Campaign Built for Scale, Stealth, and Profit

Cybercriminal operations are becoming increasingly professional, combining social engineering, advanced malware engineering, and cloud-like infrastructure to maximize financial returns. A newly discovered campaign tracked by Cisco Talos reveals how modern attackers are moving beyond traditional malware distribution methods and adopting enterprise-style tactics normally associated with advanced threat groups.

The financially motivated threat cluster known as UAT-11795 has been conducting a widespread malware operation targeting users in the United States and parts of Europe since June 2025. The campaign relies on fake software installers, social engineering traps, fileless execution techniques, and multiple backdoors designed to steal sensitive information, cryptocurrency assets, and maintain long-term access to compromised systems.

At the center of this operation are two dangerous tools: Starland RAT, a custom Python-based remote access trojan, and WLDR, a powerful PowerShell memory implant. Together, they create a flexible attack framework capable of surveillance, credential theft, remote control, and additional malware deployment.

Cisco Talos Discovery: A Financially Motivated Threat Expands Globally

Cisco Talos researchers identified UAT-11795 as a new threat cluster focused primarily on financial gain rather than espionage or political objectives. The campaign demonstrates many characteristics of modern cybercrime groups: automated distribution, multi-stage infections, encrypted communication, and the ability to adapt quickly when infrastructure is disrupted.

The attackers appear to follow a volume-based strategy. Instead of targeting one specific industry, they infect users searching for common applications used by developers, businesses, gamers, and IT professionals.

The targeted applications include:

MobaXterm

Zoom

WebEx

DBeaver

FACEIT gaming platform

By impersonating trusted software, attackers increase the chance that victims will install malicious versions without suspicion.

The Initial Infection: ClickFix Social Engineering Opens the Door

The campaign begins with social engineering techniques similar to the growing ClickFix attack method. In these attacks, victims are manipulated into copying and executing commands under the false belief that they are fixing a technical problem, verifying their browser, or activating software.

The malicious instructions eventually trigger Windows utilities such as:

mshta.exe

This legitimate Windows component becomes an execution vehicle for downloading and launching malicious HTA files.

The infection chain can be summarized as:

Victim interaction

|

ClickFix-style deception

|

Malicious command execution

|

mshta.exe launches HTA payload

|

Fake software installer delivered

|

Starland RAT + WLDR deployment

This technique allows attackers to bypass traditional security controls because the first-stage execution uses trusted Windows functionality.

Trojanized Software Installers Hide Dangerous Payloads

One of the most effective parts of the campaign is the abuse of legitimate software installers.

The attackers modify installers created with the Nullsoft Scriptable Install System (NSIS). These packages appear normal to users but contain hidden malicious components.

Inside the installer, researchers discovered:

A concealed Python runtime

A malicious loader disguised as a harmless file

Encrypted malware payloads

Persistence mechanisms

One example is a fake file named:

LICENSE.txt

Instead of containing licensing information, the file acts as a launcher that decrypts and executes Starland RAT directly in memory.

This approach reduces detection because security tools may initially classify the installer as legitimate software.

Starland RAT: A Custom Remote Access Weapon Designed for Theft

Starland RAT represents the primary control mechanism used by UAT-11795.

Unlike many commodity malware families purchased from underground markets, Starland RAT appears to be custom-developed. Written in Python, it provides attackers with extensive control over infected machines.

Its capabilities include:

Executing remote shell commands

Injecting shellcode

Downloading additional malware

Collecting system information

Capturing screenshots

Searching cryptocurrency assets

Gathering Active Directory information

The malware creates persistence through:

Scheduled tasks

Startup shortcuts

Privilege escalation attempts

Once installed, Starland RAT transforms a victim’s device into a remotely controlled asset.

Cryptocurrency Theft Appears to Be the Primary Objective

The campaign strongly indicates a financial motivation.

Starland RAT specifically searches for more than 40 cryptocurrency wallets and browser extensions. This includes digital assets stored through browser-based wallets and cryptocurrency management tools.

The malware collects:

Wallet information

Browser credentials

Authentication data

Cryptocurrency-related extensions

For cybercriminals, cryptocurrency theft offers immediate financial rewards and fewer recovery options for victims.

Unlike traditional bank fraud, blockchain transactions are often irreversible, making stolen funds extremely difficult to recover.

Blockchain Technology Used as a Malware Survival Mechanism

One of the most unusual aspects of the campaign is the use of blockchain infrastructure as a fallback communication system.

Starland RAT uses a Polygon smart contract to retrieve backup command-and-control information.

This creates a decentralized recovery mechanism:

Primary C2 Server

|
X

Server Taken Down

|

Polygon Smart Contract

|

Backup C2 Infrastructure

By using blockchain technology, attackers make their infrastructure more resilient against traditional takedown operations.

This represents an important shift in malware development. Cybercriminals are increasingly borrowing concepts from decentralized technologies to improve operational reliability.

Multiple Malware Payloads Increase Damage Potential

Starland RAT acts as a delivery platform for additional malware.

Cisco Talos observed that the attackers deploy different payloads depending on the victim’s system architecture.

For 64-bit systems:

Starland RAT

|

CastleStealer

CastleStealer is a .NET-based information stealer designed to collect:

Browser passwords

Cryptocurrency wallets

Messaging application data

For 32-bit systems:

Starland RAT

|

Remcos RAT

Remcos provides attackers with remote surveillance and control capabilities.

This flexible payload selection allows attackers to maximize the number of compromised systems.

WLDR Agent: A Fileless PowerShell Backdoor Hidden in Memory

Alongside Starland RAT, UAT-11795 deploys another powerful component called the WLDR agent.

Unlike traditional malware that writes files to disk, WLDR operates almost entirely in memory.

This makes detection significantly harder.

Its technical features include:

PowerShell-based execution

AES-256-CBC encryption

HMAC authentication

Runspace-based multi-threading

Interactive command execution

Attackers can remotely send PowerShell commands and receive results instantly.

Example execution flow:

Encrypted PowerShell Stager

|

WLDR Memory Implant

|

Runspace Execution Engine

|

Command Output Returned to Attacker

Fileless malware remains one of the biggest challenges for modern security teams because traditional antivirus solutions often rely heavily on file scanning.

Command and Control Infrastructure: Built for Resilience

The attackers operate a distributed network of staging servers and command systems.

Some domains imitate legitimate platforms, including:

Developer portals

Startup websites

Technology services

Researchers also discovered evidence that some domains may have been compromised and reused by attackers.

Additionally, Telegram bots are used for real-time tracking.

The bots collect:

System fingerprints

Hardware identifiers

Cryptocurrency information

This allows criminals to quickly evaluate infected machines and prioritize valuable victims.

Deep Analysis: Understanding the UAT-11795 Attack Chain

Malware Execution Analysis

The campaign demonstrates a modern hybrid attack model combining social engineering with advanced malware engineering.

The attackers do not depend on a single vulnerability.

Instead, they exploit human trust.

Useful Detection Commands for Security Teams

Windows process investigation:

Get-Process | Sort-Object CPU -Descending

Detect suspicious processes consuming unusual resources.

Check suspicious scheduled tasks:

schtasks /query /fo LIST /v

Look for unknown persistence mechanisms.

Review startup persistence:

wmic startup get caption,command

Identify malicious startup entries.

Investigate PowerShell activity:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational"

Search for suspicious script execution.

Network connection analysis:

netstat -ano

Identify unexpected outbound connections.

Check running DLL and memory behavior:

Get-Process | Select Name,Path

Look for processes executing from unusual locations.

What Undercode Say:

The UAT-11795 campaign represents a significant evolution in financially motivated cybercrime.

The attackers are no longer simply distributing malware.

They are building complete criminal ecosystems.

The combination of Starland RAT and WLDR shows how threat actors increasingly use multiple layers of control.

The first layer gains access.

The second layer maintains persistence.

The third layer steals valuable information.

The fourth layer provides additional malware deployment.

This structure resembles enterprise software architecture, but its purpose is criminal exploitation.

The abuse of fake software installers remains one of the most dangerous trends in cybersecurity.

Users naturally trust familiar applications.

A fake Zoom installer or developer tool can easily bypass human suspicion.

The campaign also highlights the growing importance of memory-based attacks.

Traditional antivirus solutions are becoming less effective against malware that avoids writing files.

Fileless threats require stronger behavioral monitoring.

The use of blockchain-based fallback infrastructure is especially concerning.

Attackers are demonstrating that decentralized technologies can also become tools for cybercrime.

Future malware campaigns may increasingly use smart contracts, decentralized storage, and distributed networks.

Cryptocurrency theft continues to be one of the strongest motivations behind malware development.

Digital wallets provide attackers with immediate financial opportunities.

The UAT-11795 operation also shows how cybercriminal groups are adopting professional development practices.

Custom malware frameworks, encryption systems, backup infrastructure, and automated victim tracking indicate a mature operation.

Organizations should assume that fake software distribution will continue growing.

Security teams need stronger application verification policies.

Employees should avoid installing software from search advertisements, unofficial websites, or suspicious links.

Endpoint detection systems must focus on behavior rather than only malware signatures.

PowerShell monitoring should become a standard security requirement.

Organizations should also monitor unusual blockchain communication patterns.

The future of cybercrime will likely involve more automated malware campaigns.

Threat actors are already combining artificial intelligence, automation, and advanced infrastructure.

UAT-11795 is another example that cybercriminal innovation is accelerating faster than many organizations can adapt.

✅ Cisco Talos identified UAT-11795 as a financially motivated malware campaign.
The campaign involves Starland RAT and WLDR, targeting users through malicious software installers and social engineering techniques.

✅ Starland RAT uses cryptocurrency theft capabilities.

Researchers confirmed that the malware searches for cryptocurrency wallets, browser extensions, credentials, and sensitive user data.

❌ There is no evidence that UAT-11795 is a nation-state espionage operation.
Current findings indicate financial motivation rather than government-backed cyber operations.

Prediction: The Future Impact of UAT-11795

(-1) Cybercriminal groups will continue creating fake versions of popular applications.
Trusted software brands will remain attractive targets because users are more likely to install familiar programs.

(-1) Fileless malware attacks will become harder to detect.
PowerShell memory implants like WLDR represent the direction future malware developers are moving toward.

(+1) Security companies will improve behavioral detection technologies.
Machine learning and endpoint monitoring will become increasingly important for identifying unusual activity.

(+1) Organizations adopting zero-trust security models will reduce exposure.
Application control, privilege restrictions, and continuous monitoring can significantly limit malware impact.

(-1) Blockchain-based malware infrastructure may become more common.
Attackers are likely to experiment further with decentralized systems to avoid traditional takedowns.

(+1) Cybersecurity awareness training will remain a critical defense.
Human detection of suspicious installers and social engineering attempts will continue to be one of the strongest protections against these campaigns.

▶️ Related Video (78% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube