A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well.
According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.
Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method.
In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt).
The loader modifies the Windows Registry to establish persistence and then decrypts and loads the Starland remote access trojan (RAT).
When launched, Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence, and tries to increase its privileges.
The malware looks for the following types of data on the compromised system:
Browser data and cryptocurrency wallet assets, including more than 40 desktop and browser-extension wallets
System details, including the HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
... continue reading