Analyst decision point
A source-documented malware campaign that can establish persistent Windows access, collect host and wallet information, steal credentials and cryptocurrency assets, and deliver additional payloads through resilient command-and-control infrastructure.
- Evidence
- 4 cited mapping rationales from Cisco Talos.
- Mapping
- 4 reviewed ATT&CK / ATLAS mappings with high confidence.
- Next action
- Read the behavior sequence, validate the mapped telemetry, then decide whether this belongs in your coverage queue.
Attack understanding
Understand this attack before acting
This page is ordered for defender comprehension: what happened, what evidence supports it, how the behavior maps, and what to verify in your own telemetry.
What happened
Cisco Talos describes a financially motivated, Russian-speaking activity cluster tracked as UAT-11795 that has targeted users in the United States and Europe with trojanized software installers, Starland RAT, and the PowerShell-based WLDR command-and-control implant.
Evidence posture
Mappings stay tied to explicit evidence and reviewed rationale.
ATT&CK / ATLAS
Only reviewed mappings are shown as behavior. Missing links remain unresolved.
Defender workflow
Use the workflow below to turn this record into environment-specific checks.
Mapping posture
Mapped behavior at a glance
This matrix shows the mapped behavior, evidence count, and confidence before the long-form evidence ledger.
AttackTrace does not enrich this page by guessing adjacent techniques. If a behavior is not cited and reviewed, it stays out of the mapped path.
Editorial Note
This brief follows the UAT-11795 label assigned by Cisco Talos. The Russian-speaking assessment comes from a Russian-language developer comment described by Talos and should not be treated as proof of nationality, location, or state sponsorship. The campaign is financially motivated in the source reporting; AttackTrace does not extend that assessment into a stronger attribution claim.
Technical Attack Flow
| Stage | Technique | Technical breakdown | Defender visibility |
|---|---|---|---|
| User-driven execution | T1204.002 User Execution: Malicious File | Potential ClickFix-style social engineering leads to a weaponized HTA and trojanized NSIS installers impersonating tools such as MobaXterm, WebEx, Zoom, DBeaver, and FACEIT. | Browser and download telemetry, Mark-of-the-Web metadata, mshta.exe execution, newly downloaded NSIS installers, and user reports of copy-and-run instructions. |
| PowerShell staging | T1059.001 Command and Scripting Interpreter: PowerShell | Starland can launch a curl command that retrieves an obfuscated WLDR PowerShell stager, downloader, and in-memory agent. | PowerShell script-block logging, AMSI, command-line telemetry, curl network activity, and PowerShell processes making unusual outbound HTTP requests. |
| Logon persistence | T1547.001 Registry Run Keys / Startup Folder | The HTA chain creates a current-user Run value that invokes mshta.exe at logon; Starland also creates a Startup-folder shortcut and may add a scheduled task. | Registry auditing for Run keys, Startup-folder file creation, scheduled-task events, and mshta.exe or pythonw.exe starting shortly after logon. |
| Payload delivery | T1105 Ingress Tool Transfer | The RAT retrieves shellcode and executable formats and can deploy CastleStealer, Remcos RAT, or WLDR components from attacker-controlled staging and C2 infrastructure. | DNS and HTTP telemetry for the published infrastructure, new files in user temporary paths, process injection signals, and outbound Telegram or Polygon RPC access from unusual processes. |
Detection Surface
mshta.exeretrieving or executing remote HTA content, especially from a user-launched installer or recently downloaded file.pythonw.exelaunched from unusual installer directories with a compiled payload disguised as a text or license file.- PowerShell or
cmd.exedescendants of installers, mshta.exe, or pythonw.exe that invoke curl, retrieve scripts, or launch in-memory stages. - New current-user Run values, Startup-folder shortcuts, or scheduled tasks with randomized
PythonLauncher-style names. - HTTP requests whose paths end in a local volume-derived hardware identifier, periodic 50–60 second beaconing, or unexpected Polygon JSON-RPC and Telegram Bot API traffic.
- Host reconnaissance commands involving CIM/WMI,
systeminfo,net user,nltest, and wallet or browser extension enumeration.
Investigation Checklist
- Identify downloads and executions of installers named or presented as MobaXterm, WebEx, Zoom, DBeaver, or FACEIT from non-vendor sources.
- Hunt for mshta.exe, pythonw.exe, curl, and PowerShell execution chains around the suspected initial-access time.
- Review current-user Run keys, Startup folders, and scheduled tasks for entries that launch remote HTA content or unexpected Python payloads.
- Search DNS, proxy, firewall, and endpoint telemetry for the domains and IP addresses in the Talos IOC set, accounting for possible compromised or repurposed infrastructure.
- Inspect browser, cryptocurrency-wallet, Telegram, credential-store, screenshot, and Active Directory reconnaissance access on affected hosts.
- Scope downloaded shellcode and secondary payloads, including CastleStealer, Remcos RAT, and WLDR, before deciding that removal of the initial installer completed containment.
Containment And Hardening
- Isolate confirmed hosts and block the campaign IOC set at DNS, proxy, firewall, and endpoint controls after validating business impact.
- Remove malicious Run keys, Startup shortcuts, scheduled tasks, HTA files, Python loaders, RAT components, and secondary payloads only after collecting forensic evidence.
- Reset credentials and rotate cryptocurrency-wallet secrets exposed on affected systems; revoke active sessions and review related cloud and developer access.
- Restrict mshta.exe and unapproved PowerShell use where operationally feasible, and enforce application control for installers and scripting engines.
- Require software downloads from validated vendor distribution points and train users to reject copy-and-run or ClickFix-style instructions.
- Enable PowerShell, process, registry, scheduled-task, DNS, proxy, and endpoint telemetry needed to reconstruct the complete infection chain.
Source Notes
Cisco Talos published the campaign analysis on July 16, 2026 and reports activity dating to at least June 2025. Talos observed predominant impact in the United States with additional potential impact in Germany, Romania, and Venezuela, and published ClamAV signatures, Snort rules, and a linked IOC repository. AttackTrace selected only techniques supported by explicit behavior in the report.
Evidence ledger
Evidence and mapping rationale
Each mapping is tied to an explicit quote and rationale. Unsupported relationships should stay unresolved until reviewed.
trojanized installer lures
Talos observed installers impersonating legitimate administration, collaboration, database, and gaming software; execution of the installer starts the malicious Python loader and Starland RAT chain.
PowerShell-based C2 memory implant
The WLDR stages and agent use obfuscated PowerShell for in-memory loading, encrypted command-and-control, and task execution.
establishes persistence
The weaponized HTA writes a Run key under the current user's registry hive so mshta.exe launches the remote HTA at logon.
receiving and executing intermediate payloads
Starland RAT accepts commands to retrieve and run shellcode, EXE, MSI, DLL, and ZIP payloads, including CastleStealer, Remcos RAT, and the WLDR stages.
Detection surface
What defenders should verify
AttackTrace does not claim live coverage. Use these prompts to check whether your telemetry and detections can support the mapped behavior.
Investigate
- 01Identify affected products, exposed services, identities, and time windows from your own environment.
- 02Pull the log sources that could show the mapped behavior before writing or tuning alerts.
- 03Compare observed behavior with the evidence ledger instead of expanding the scope from assumptions.
Detect
- 01Map each ATT&CK or ATLAS behavior to concrete telemetry sources and owners.
- 02Check whether current detections cover the behavior, prerequisite, and post-exploitation pivot separately.
- 03Record gaps as coverage work, not as proof that the campaign is present in your environment.
Respond
- 01Prioritize containment only after exposure or observed behavior is confirmed.
- 02Preserve source URLs and mapping rationale in the incident record.
- 03Send corrections when evidence contradicts a mapping or confidence level.
Confirm telemetry exists for Malicious File, then validate alert logic against real environment data.
Confirm telemetry exists for PowerShell, then validate alert logic against real environment data.
Confirm telemetry exists for Registry Run Keys / Startup Folder, then validate alert logic against real environment data.
Confirm telemetry exists for Ingress Tool Transfer, then validate alert logic against real environment data.
Investigation workflow
How to investigate this record
Use this sequence when converting reviewed public intelligence into a local defensive task.
Start from the source record and confirm what was observed, not what might be possible.
Translate mapped behavior into local data requirements and asset questions.
Separate vendor/product exposure, actor attribution, malware names, and technique behavior.
Promote only confirmed environment findings into detection, containment, or executive reporting.
Related campaigns
Campaign links are manual. They are not inferred from actors, CVEs, titles, sources, or mapped techniques.
Record history
Update history
Update history
- Published
- 2026-07-16
- Reviewed
- 2026-07-18
- Mapping confidence
- high