HomeCyber BalkansNew Starland RAT Exfiltrates Browser Credentials and Scans for More Than 40...

New Starland RAT Exfiltrates Browser Credentials and Scans for More Than 40 Crypto Wallets

Published on

spot_img

Emerging Threat: UAT-11795 and the Starland RAT Campaign

In a concerning development within the cybersecurity landscape, a financially motivated threat actor, identified as UAT-11795, has been orchestrating a large-scale malware campaign since at least June 2025. This Russian-speaking adversary has drawn attention due to their sophisticated tools employed to facilitate their operations, particularly a Python-based remote access trojan (RAT) known as “Starland RAT,” coupled with a stealthy in-memory PowerShell implant referred to as the “WLDR agent.”

The campaign primarily targets users across the United States and select regions in Europe, focusing heavily on credential theft and the harvesting of cryptocurrency wallets. Such nefarious actions pose significant threats to both individual users and businesses alike, underlining the need for advanced cybersecurity measures and awareness.

A notable feature of UAT-11795’s campaign is its modular, multi-stage infection chain and a robust command-and-control (C2) architecture capable of evading detection. Initial access is gained through a deceptive method referred to as ClickFix-style social engineering. In this tactic, victims unwittingly execute malicious commands that trigger a weaponized HTML Application (HTA) file via the Windows mshta.exe command. The malware subsequently drops a trojanized installer, bundled with a Python runtime and an obfuscated loader masked as a benign LICENSE.txt file, executed through a tailored Nullsoft Scriptable Install System (NSIS) installer script.

Upon execution, the Python loader employs XOR obfuscation (key 0xC6) to decrypt and directly execute the Starland RAT in memory. This malware is meticulously engineered for Windows environments and utilizes ctypes to dynamically resolve essential Win32 API calls, including VirtualAllocEx and CreateRemoteThread. This technique enables the malware to inject itself into processes and execute commands without the need to include static imports, increasing its chances of remaining undetected.

To enhance its resilience against analysis, Starland RAT incorporates anti-analysis measures by comparing the environment against known sandbox usernames and hostnames, such as WDAGUtilityAccount and various malware analysis platforms like Cuckoo and Any.Run. If it detects that it is being run in a controlled environment, the malware terminates prematurely to avoid discovery.

The persistence mechanisms of Starland RAT are noteworthy, establishing itself through scheduled tasks named with a random prefix (PythonLauncher-{random}) and shortcuts in the Startup folder. Moreover, it attempts privilege escalation using the ShellExecuteW function with the runas verb, effectively allowing it to execute commands with elevated permissions.

Expansive reconnaissance capabilities further underpin the RAT’s operations. Starland RAT collects vital information including hardware identifiers (HWID), RAM size, antivirus software details, and Active Directory context utilizing commands such as Get-CimInstance and nltest /dclist. Additionally, the malware captures a screenshot of the victim’s desktop, encoding and exfiltrating it alongside detailed system profiling data.

One of the most alarming aspects of Starland RAT is its deliberate focus on cryptocurrency theft. The malware identifies over 40 browser-based and desktop wallet applications, consolidating this information into an encrypted JSON payload (with an XOR key of “helo1”). This payload is transmitted via an HTTP POST request that masquerades as traffic from a legitimate Chrome user-agent.

Research from Cisco Talos has disclosed that UAT-11795 has maintained ongoing operations targeting various users in both the U.S. and Europe. Prior to the full exfiltration of data, the malware transmits victim metadata and wallet information to Telegram bots controlled by the attackers—specifically, skuefq_bot and komandastuk_bot—affording the criminals real-time insights into the assets they have compromised.

The infrastructure utilized by UAT-11795 is intricately designed to evade detection, blending in with legitimate internet traffic. Notable domains engaged in this malicious activity include eorthopaedics[.]com and sastoro[.]com, which host staged payloads under deceptive paths and deliver raw shellcode payloads, complicating efforts to pinpoint the origin of these attacks.

Additionally, the primary C2 nodes for Starland RAT have been identified as windowscreenrepairnearme[.]com and aipythondevs[.]com, with unique communications crafted around victim HWIDs derived from disk volume serial numbers. This level of targeting ensures that the threats remain highly personalized and efficient.

Intriguingly, UAT-11795 demonstrates a forward-thinking approach by embedding a blockchain-based resiliency mechanism into its operations. It accomplishes this by incorporating a fallback system via a Polygon smart contract that ensures continued access to C2 domains even in the event of disruptions to its primary infrastructure. The RAT is capable of retrieving XOR-encrypted backup C2 domain information through eth_call requests to polygon-rpc[.]com, reflecting advanced planning in its deployment strategy.

Following the initial compromise, UAT-11795’s activities expand to involve the deployment of additional payloads, including CastleStealer—a .NET credential and crypto stealer—and Remcos RAT, which offers persistent remote access to attackers.

Furthermore, Talos has identified the parallel deployment of the WLDR agent, a fileless PowerShell implant delivered through an obfuscated staging chain. This framework facilitates encrypted communication between the malware and the attackers, employing HWID-bound tasking and a Runspace-based execution engine, allowing simultaneous execution of various modules defined by the attackers.

Telemetry data and passive DNS analysis indicate that the bulk of infections stemming from this campaign are centered in the United States, with additional figures observed in Germany, Romania, and Venezuela. The use of trojanized installers for popular software—including MobaXterm, DBeaver, WebEx, Zoom, and FACEIT—further highlights the campaign’s opportunistic nature and intent to reach both enterprise and consumer environments.

The discovery of a private Telegram channel named “stuk komanda,” created in June 2025, corroborates the operational maturity of UAT-11795. This channel is suspected to act as a covert C2 or staging hub, revealing the organized structure underpinning these attacks.

In summary, the combination of advanced multi-layered payload delivery, an acute focus on cryptocurrency theft, and innovative decentralized fallback mechanisms not only adds to the complexity of UAT-11795’s operation but represents a significant evolution in financially driven malware campaigns, blending traditional methods with emerging technologies. As these malicious activities continue to escalate, individuals and organizations must remain vigilant and proactive in safeguarding their digital resources.

Source link

Latest articles

OnlyFans Performers Forge Unexpected Alliance with CISOs to Secure Websites

Investigation Reveals Illicit Distribution Systems Exploiting Adult Content In a recent examination of digital traffic...

Cyber Briefing – July 17, 2026 – CyberMaterial

Cybersecurity: A Rising Threat Landscape and Corporate Responses In recent times, the cybersecurity landscape has...

US Cybersecurity Agency Exposes Confidential Information

CISA Recognized for Swift Action and Transparency in Security Incident By Mathew J. Schwartz July 17,...

Study Warns Government Agencies Are Daily Targets of Ransomware Attacks

Surge in Ransomware Attacks on Government Entities: Analysis Reveals Daily Incidents Ransomware attacks targeting government...

More like this

OnlyFans Performers Forge Unexpected Alliance with CISOs to Secure Websites

Investigation Reveals Illicit Distribution Systems Exploiting Adult Content In a recent examination of digital traffic...

Cyber Briefing – July 17, 2026 – CyberMaterial

Cybersecurity: A Rising Threat Landscape and Corporate Responses In recent times, the cybersecurity landscape has...

US Cybersecurity Agency Exposes Confidential Information

CISA Recognized for Swift Action and Transparency in Security Incident By Mathew J. Schwartz July 17,...