HomeThreat Activity
Home

Reviewed threat activity

UAT-11795 Starland RAT and WLDR C2 Campaign

Cisco Talos describes a financially motivated, Russian-speaking activity cluster tracked as UAT-11795 that has targeted users in the United States and Europe with trojanized software installers, Starland RAT, and the PowerShell-based WLDR command-and-control implant.

Cisco TalosConfidence: high
Note on this

Analyst decision point

A source-documented malware campaign that can establish persistent Windows access, collect host and wallet information, steal credentials and cryptocurrency assets, and deliver additional payloads through resilient command-and-control infrastructure.

Evidence
4 cited mapping rationales from Cisco Talos.
Mapping
4 reviewed ATT&CK / ATLAS mappings with high confidence.
Next action
Read the behavior sequence, validate the mapped telemetry, then decide whether this belongs in your coverage queue.

Attack understanding

Understand this attack before acting

This page is ordered for defender comprehension: what happened, what evidence supports it, how the behavior maps, and what to verify in your own telemetry.

What happened

Cisco Talos

Cisco Talos describes a financially motivated, Russian-speaking activity cluster tracked as UAT-11795 that has targeted users in the United States and Europe with trojanized software installers, Starland RAT, and the PowerShell-based WLDR command-and-control implant.

Evidence posture

4 rationales

Mappings stay tied to explicit evidence and reviewed rationale.

ATT&CK / ATLAS

4 behaviors

Only reviewed mappings are shown as behavior. Missing links remain unresolved.

Defender workflow

Investigate -> detect -> harden

Use the workflow below to turn this record into environment-specific checks.

Mapping posture

Mapped behavior at a glance

This matrix shows the mapped behavior, evidence count, and confidence before the long-form evidence ledger.

T1204.002ATTACK

Malicious File

Evidence

1 cited rationales

Confidence

high

T1059.001ATTACK

PowerShell

Evidence

1 cited rationales

Confidence

high

T1547.001ATTACK

Registry Run Keys / Startup Folder

Evidence

1 cited rationales

Confidence

high

T1105ATTACK

Ingress Tool Transfer

Evidence

1 cited rationales

Confidence

high

AttackTrace does not enrich this page by guessing adjacent techniques. If a behavior is not cited and reviewed, it stays out of the mapped path.

Editorial Note

This brief follows the UAT-11795 label assigned by Cisco Talos. The Russian-speaking assessment comes from a Russian-language developer comment described by Talos and should not be treated as proof of nationality, location, or state sponsorship. The campaign is financially motivated in the source reporting; AttackTrace does not extend that assessment into a stronger attribution claim.

Technical Attack Flow

StageTechniqueTechnical breakdownDefender visibility
User-driven executionT1204.002 User Execution: Malicious FilePotential ClickFix-style social engineering leads to a weaponized HTA and trojanized NSIS installers impersonating tools such as MobaXterm, WebEx, Zoom, DBeaver, and FACEIT.Browser and download telemetry, Mark-of-the-Web metadata, mshta.exe execution, newly downloaded NSIS installers, and user reports of copy-and-run instructions.
PowerShell stagingT1059.001 Command and Scripting Interpreter: PowerShellStarland can launch a curl command that retrieves an obfuscated WLDR PowerShell stager, downloader, and in-memory agent.PowerShell script-block logging, AMSI, command-line telemetry, curl network activity, and PowerShell processes making unusual outbound HTTP requests.
Logon persistenceT1547.001 Registry Run Keys / Startup FolderThe HTA chain creates a current-user Run value that invokes mshta.exe at logon; Starland also creates a Startup-folder shortcut and may add a scheduled task.Registry auditing for Run keys, Startup-folder file creation, scheduled-task events, and mshta.exe or pythonw.exe starting shortly after logon.
Payload deliveryT1105 Ingress Tool TransferThe RAT retrieves shellcode and executable formats and can deploy CastleStealer, Remcos RAT, or WLDR components from attacker-controlled staging and C2 infrastructure.DNS and HTTP telemetry for the published infrastructure, new files in user temporary paths, process injection signals, and outbound Telegram or Polygon RPC access from unusual processes.

Detection Surface

  • mshta.exe retrieving or executing remote HTA content, especially from a user-launched installer or recently downloaded file.
  • pythonw.exe launched from unusual installer directories with a compiled payload disguised as a text or license file.
  • PowerShell or cmd.exe descendants of installers, mshta.exe, or pythonw.exe that invoke curl, retrieve scripts, or launch in-memory stages.
  • New current-user Run values, Startup-folder shortcuts, or scheduled tasks with randomized PythonLauncher- style names.
  • HTTP requests whose paths end in a local volume-derived hardware identifier, periodic 50–60 second beaconing, or unexpected Polygon JSON-RPC and Telegram Bot API traffic.
  • Host reconnaissance commands involving CIM/WMI, systeminfo, net user, nltest, and wallet or browser extension enumeration.

Investigation Checklist

  • Identify downloads and executions of installers named or presented as MobaXterm, WebEx, Zoom, DBeaver, or FACEIT from non-vendor sources.
  • Hunt for mshta.exe, pythonw.exe, curl, and PowerShell execution chains around the suspected initial-access time.
  • Review current-user Run keys, Startup folders, and scheduled tasks for entries that launch remote HTA content or unexpected Python payloads.
  • Search DNS, proxy, firewall, and endpoint telemetry for the domains and IP addresses in the Talos IOC set, accounting for possible compromised or repurposed infrastructure.
  • Inspect browser, cryptocurrency-wallet, Telegram, credential-store, screenshot, and Active Directory reconnaissance access on affected hosts.
  • Scope downloaded shellcode and secondary payloads, including CastleStealer, Remcos RAT, and WLDR, before deciding that removal of the initial installer completed containment.

Containment And Hardening

  • Isolate confirmed hosts and block the campaign IOC set at DNS, proxy, firewall, and endpoint controls after validating business impact.
  • Remove malicious Run keys, Startup shortcuts, scheduled tasks, HTA files, Python loaders, RAT components, and secondary payloads only after collecting forensic evidence.
  • Reset credentials and rotate cryptocurrency-wallet secrets exposed on affected systems; revoke active sessions and review related cloud and developer access.
  • Restrict mshta.exe and unapproved PowerShell use where operationally feasible, and enforce application control for installers and scripting engines.
  • Require software downloads from validated vendor distribution points and train users to reject copy-and-run or ClickFix-style instructions.
  • Enable PowerShell, process, registry, scheduled-task, DNS, proxy, and endpoint telemetry needed to reconstruct the complete infection chain.

Source Notes

Cisco Talos published the campaign analysis on July 16, 2026 and reports activity dating to at least June 2025. Talos observed predominant impact in the United States with additional potential impact in Germany, Romania, and Venezuela, and published ClamAV signatures, Snort rules, and a linked IOC repository. AttackTrace selected only techniques supported by explicit behavior in the report.

Evidence ledger

Evidence and mapping rationale

Each mapping is tied to an explicit quote and rationale. Unsupported relationships should stay unresolved until reviewed.

T1204.002Malicious File
trojanized installer lures

Talos observed installers impersonating legitimate administration, collaboration, database, and gaming software; execution of the installer starts the malicious Python loader and Starland RAT chain.

T1059.001PowerShell
PowerShell-based C2 memory implant

The WLDR stages and agent use obfuscated PowerShell for in-memory loading, encrypted command-and-control, and task execution.

T1547.001Registry Run Keys / Startup Folder
establishes persistence

The weaponized HTA writes a Run key under the current user's registry hive so mshta.exe launches the remote HTA at logon.

T1105Ingress Tool Transfer
receiving and executing intermediate payloads

Starland RAT accepts commands to retrieve and run shellcode, EXE, MSI, DLL, and ZIP payloads, including CastleStealer, Remcos RAT, and the WLDR stages.

Detection surface

What defenders should verify

AttackTrace does not claim live coverage. Use these prompts to check whether your telemetry and detections can support the mapped behavior.

Investigate

  1. 01Identify affected products, exposed services, identities, and time windows from your own environment.
  2. 02Pull the log sources that could show the mapped behavior before writing or tuning alerts.
  3. 03Compare observed behavior with the evidence ledger instead of expanding the scope from assumptions.

Detect

  1. 01Map each ATT&CK or ATLAS behavior to concrete telemetry sources and owners.
  2. 02Check whether current detections cover the behavior, prerequisite, and post-exploitation pivot separately.
  3. 03Record gaps as coverage work, not as proof that the campaign is present in your environment.

Respond

  1. 01Prioritize containment only after exposure or observed behavior is confirmed.
  2. 02Preserve source URLs and mapping rationale in the incident record.
  3. 03Send corrections when evidence contradicts a mapping or confidence level.
T1204.002

Confirm telemetry exists for Malicious File, then validate alert logic against real environment data.

T1059.001

Confirm telemetry exists for PowerShell, then validate alert logic against real environment data.

T1547.001

Confirm telemetry exists for Registry Run Keys / Startup Folder, then validate alert logic against real environment data.

T1105

Confirm telemetry exists for Ingress Tool Transfer, then validate alert logic against real environment data.

Investigation workflow

How to investigate this record

Use this sequence when converting reviewed public intelligence into a local defensive task.

IR

Start from the source record and confirm what was observed, not what might be possible.

IR

Translate mapped behavior into local data requirements and asset questions.

IR

Separate vendor/product exposure, actor attribution, malware names, and technique behavior.

IR

Promote only confirmed environment findings into detection, containment, or executive reporting.

Campaign links are manual. They are not inferred from actors, CVEs, titles, sources, or mapped techniques.

Record history

Update history

Update history

Published
2026-07-16
Reviewed
2026-07-18
Mapping confidence
high