Starland RAT: Russian Cybercriminals Launch Advanced Credential Theft Campaign Through Fake Software Installers + Video

Listen to this Post

Featured ImageIntroduction: A New Wave of Malware Hidden Behind Trusted Software

Cybercriminals continue to evolve their methods by hiding dangerous malware behind applications that millions of users trust every day. A newly uncovered campaign linked to a financially motivated Russian threat actor demonstrates how attackers are moving beyond traditional phishing emails and malicious attachments, instead abusing the reputation of legitimate software platforms to compromise victims.

Security researchers have identified a threat actor tracked as UAT-11795 deploying a sophisticated remote access trojan (RAT) called Starland RAT. The malware campaign has been active since at least June 2025 and targets users primarily in the United States, while infections have also been detected in Germany, Romania, and Venezuela.

The operation combines fake software installers, advanced persistence techniques, cryptocurrency theft capabilities, information stealing malware, and stealthy command-and-control systems. It represents a growing trend where financially motivated attackers build multi-stage malware ecosystems designed not only to steal passwords but also to maintain long-term control over infected systems.

Summary: Fake Installers Deliver Powerful Malware

According to researchers at Cisco Talos, UAT-11795 distributes malicious versions of popular software packages, including MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Victims believe they are downloading legitimate applications, but the installers secretly contain malicious components designed to compromise their computers.

The attackers appear to rely on a technique known as ClickFix, where users are tricked into performing actions that appear harmless, such as copying commands into Windows dialogs or executing instructions shown on fake websites.

The infection chain begins with an HTA file, which downloads a modified NSIS installer. Inside this installer is a Python-based loader disguised as a harmless text file named LICENSE.txt. Once executed, the loader modifies the Windows Registry to establish persistence and then decrypts and launches the Starland RAT payload.

Inside the Starland RAT Infection Chain

Multi-Stage Malware Deployment

Starland RAT is not a simple remote access tool. It acts as the central control component of a larger malware operation. After installation, the malware first checks whether it is running inside a sandbox or security analysis environment.

This behavior helps attackers avoid detection by automated malware analysis systems used by cybersecurity companies.

If the environment appears legitimate, Starland continues its operation by creating persistence mechanisms, including:

Scheduled tasks

Windows Startup folder entries

Registry modifications

Privilege escalation attempts

These techniques allow the malware to survive system reboots and maintain access for future attacks.

Data Theft Capabilities: Passwords, Crypto Wallets, and Personal Information

Stealing Valuable Digital Assets

The primary goal of UAT-11795 appears to be financial gain. Starland RAT searches infected devices for valuable information that can be sold, abused, or used for additional attacks.

The malware collects:

Browser passwords and stored credentials

Cryptocurrency wallet data

Authentication tokens

Gaming platform credentials

Messaging application sessions

Local files containing sensitive information

Researchers discovered that Starland specifically targets more than 40 cryptocurrency wallets, including both desktop applications and browser wallet extensions.

For cryptocurrency users, this creates a serious threat because stolen wallet information can allow attackers to transfer digital assets without requiring traditional banking access.

Enterprise Espionage Capabilities Hidden Inside Financial Malware

Active Directory Reconnaissance

Although UAT-11795 appears financially motivated, Starland RAT includes capabilities normally associated with espionage-focused malware.

The malware collects detailed system intelligence, including:

Hardware identifiers

CPU and memory information

Windows version

Computer name

Geographic region

Public IP address

Installed security software

It also gathers Active Directory information such as:

Domain structure

Domain controllers

User privileges

Network environment details

This information could allow attackers to identify valuable corporate targets and expand their attacks beyond the original infected machine.

Remote Control Features Make Starland a Complete Attack Platform

Full System Access for Criminal Operators

Starland RAT provides attackers with extensive remote control capabilities.

The malware can:

Capture screenshots

Execute shell commands

Inject malicious shellcode

Download additional files

Install new malware components

Control system operations remotely

The ability to execute commands remotely turns infected devices into fully controlled machines that attackers can use for credential theft, fraud, ransomware preparation, or additional malware deployment.

Secondary Payloads: CastleStealer and Remcos RAT

Attackers Deploy Additional Malware Families

Cisco Talos researchers discovered that Starland RAT acts as a delivery mechanism for additional threats.

The observed campaigns used different shellcode chains depending on system architecture.

The 64-bit payload chain delivers CastleStealer, an information-stealing malware designed to collect:

Browser credentials

Cryptocurrency wallet information

Discord sessions

Telegram sessions

Steam credentials

Files stored on infected systems

The 32-bit payload chain delivers Remcos RAT, a well-known remote access tool capable of:

Keylogging

Webcam monitoring

Screen recording

Audio capture

Clipboard theft

File management

Remote command execution

This combination creates a powerful criminal toolkit capable of stealing personal data while maintaining persistent access.

Deep Analysis: How Starland RAT Operates

Advanced Command-and-Control Infrastructure

Starland RAT uses a sophisticated command-and-control (C2) system designed to remain operational even when primary communication channels fail.

Researchers discovered that the malware contains a backup mechanism involving the Polygon blockchain network.

If the hardcoded C2 server becomes unavailable, Starland queries a Polygon smart contract containing an XOR-encrypted fallback domain.

This technique allows attackers to hide infrastructure information inside blockchain transactions, making traditional domain takedown operations more difficult.

Memory-Based PowerShell Framework

UAT-11795 also uses a previously undocumented PowerShell-based framework called WLDR.

WLDR provides attackers with:

Encrypted communication channels

In-memory execution

Hardware-bound payload delivery

Victim-specific targeting

The framework uses PBKDF2-SHA256 encryption to protect communications between infected systems and attacker infrastructure.

Because the framework operates primarily in memory, traditional antivirus tools that rely on file scanning may struggle to detect it.

Example Defensive Commands for Security Teams

Check suspicious scheduled tasks:

schtasks /query /fo LIST /v
Review Windows startup persistence locations:
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Check active network connections:
netstat -ano
Identify suspicious PowerShell activity:
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
Scan running processes:
tasklist /v

How Organizations Can Defend Against Starland RAT

Preventing Infection Before Damage Happens

Organizations should focus on reducing the initial infection opportunities.

Security teams should:

Download software only from official vendor websites

Block unauthorized executable downloads

Monitor unusual PowerShell activity

Deploy endpoint detection and response solutions

Enable multi-factor authentication

Restrict administrative privileges

Monitor cryptocurrency-related applications

Review suspicious scheduled tasks

Users should avoid executing commands copied from websites unless they fully understand what those commands do.

The ClickFix technique succeeds because attackers manipulate users into performing actions that bypass normal security controls.

What Undercode Say:

A New Generation of Financial Malware Is Becoming More Dangerous

The Starland RAT campaign shows how cybercriminals are transforming ordinary malware into complete attack platforms.

The days when information stealers only collected browser passwords are disappearing.

Modern malware families now combine multiple capabilities into one ecosystem.

Starland RAT demonstrates this evolution clearly.

Attackers are no longer interested only in stealing one password or one cryptocurrency wallet.

They want persistent access.

They want intelligence about the victim.

They want the ability to return whenever valuable opportunities appear.

The use of fake software installers is especially concerning because it attacks human trust.

Users naturally trust applications like Zoom, WebEx, and productivity tools.

Cybercriminals understand that reputation can become a weapon.

The ClickFix method also highlights a major security challenge.

Many attacks no longer depend on exploiting software vulnerabilities.

Instead, they exploit human behavior.

A user can accidentally become the final step in malware installation.

The combination of Starland RAT, CastleStealer, and Remcos creates a dangerous criminal ecosystem.

One infection can result in password theft, cryptocurrency loss, corporate compromise, and surveillance.

The blockchain-based fallback C2 mechanism is another sign of attacker innovation.

Threat groups are experimenting with decentralized technologies to make their infrastructure harder to remove.

Traditional cybersecurity methods must continue evolving.

Organizations cannot rely only on antivirus signatures.

Behavior detection, identity security, and continuous monitoring are becoming essential.

The discovery of WLDR also shows that attackers are investing heavily in custom frameworks.

Instead of simply purchasing malware kits, some groups are building professional-grade platforms.

Financially motivated criminals are becoming more organized.

They operate more like technology companies than traditional hackers.

Security teams must assume that attackers will continue improving their tools.

The future of cyber defense will depend on speed, visibility, and automation.

The Starland RAT campaign is another warning that trusted software channels remain a major target.

Every downloaded application should be treated as a potential security decision.

Verification of Key Claims

✅ Starland RAT campaign linked to UAT-11795:

Cisco Talos researchers documented a financially motivated threat actor using trojanized installers to distribute Starland RAT. The campaign has targeted multiple countries, including the United States.

✅ Use of fake software installers:

The attackers used modified installers impersonating legitimate applications such as Zoom, WebEx, MobaXterm, DBeaver, and FaceIT. This matches modern malware distribution techniques.

✅ Advanced C2 and secondary malware deployment:

Research confirms Starland RAT includes fallback communication mechanisms and can deliver additional malware such as CastleStealer and Remcos RAT.

Prediction

(-1) Financial malware campaigns using fake applications will continue increasing because attackers can bypass traditional phishing defenses by exploiting user trust.

(-1) Cryptocurrency theft will remain a major motivation as digital wallets provide criminals with fast and difficult-to-recover financial gains.

(+1) Security solutions using behavioral detection and artificial intelligence will improve detection of malware like Starland RAT by identifying unusual activity rather than relying only on signatures.

(+1) Organizations that strengthen identity protection, endpoint monitoring, and software supply chain controls will significantly reduce the impact of future campaigns.

(-1) Attackers will likely continue abusing legitimate software brands because users often ignore security warnings when downloading familiar applications.

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube