A new malware campaign attributed to Russian-speaking threat actor UAT-11795 has been discovered, targeting users in the U.S. and Europe since mid-2025. This operation involves the distribution of trojanized installers for widely-used software like Webex, Zoom, and MobaXterm, deploying Starland RAT (a Python-based remote access tool) and a PowerShell-based implant called WLDR. Initial access exploits social engineering techniques, tricking victims into running malicious commands that drop harmful files.
The malware employs sophisticated anti-analysis measures to evade detection and exfiltrates sensitive data, including cryptocurrency wallet information. Notably, it can fallback to a blockchain mechanism for communication if primary methods fail, emphasizing the complexity and adaptability of the threat.