securityaffairs.com 7/17/2026, 10:01:49 AM · external

Russian hackers use fake Webex, Zoom installers to steal crypto

Russian hackers use fake Webex, Zoom installers to steal crypto
CyberSIXT Evidence Panel
Threat Actor
UAT-11795

A new malware campaign attributed to Russian-speaking threat actor UAT-11795 has been discovered, targeting users in the U.S. and Europe since mid-2025. This operation involves the distribution of trojanized installers for widely-used software like Webex, Zoom, and MobaXterm, deploying Starland RAT (a Python-based remote access tool) and a PowerShell-based implant called WLDR. Initial access exploits social engineering techniques, tricking victims into running malicious commands that drop harmful files.

The malware employs sophisticated anti-analysis measures to evade detection and exfiltrates sensitive data, including cryptocurrency wallet information. Notably, it can fallback to a blockchain mechanism for communication if primary methods fail, emphasizing the complexity and adaptability of the threat.

View Primary Source Via securityaffairs.com

Article by CyberSIXT