A financially motivated Russian group tracked as UAT-11795 is hiding a new backdoor called Starland RAT inside trojanised installers for Zoom, WebEx, MobaXterm, DBeaver and FaceIT. For UK organisations that rely on these tools for remote and hybrid work, this is a client-integrity problem, not just a phishing one.
View the data behind this chart
| Phase | Starts (week) | Duration (weeks) |
|---|---|---|
| Active campaign, largely… | 0 | 52 |
| Cisco Talos disclosure and… | 52 | 4 |
What Cisco Talos found
Cisco Talos published research on 16 July 2026 detailing a campaign it attributes to UAT-11795, a Russian-linked, financially motivated actor active since at least June 2025. Rather than exploiting Zoom or WebEx themselves, the group builds counterfeit installers of legitimate software and distributes them so victims believe they are downloading a genuine client. Confirmed targeting has centred on users in the United States, with additional victims identified in Germany, Romania and Venezuela.
Talos could not confirm exactly how victims are lured to the fake installers, but suspects the ClickFix technique — where users are tricked into pasting and running a malicious command themselves — is the likely delivery method. That detail matters for UK buyers: it points to a social-engineering weak point sitting upstream of any technical control, which is why user behaviour and download policy deserve equal weight alongside endpoint tooling.
Inside the infection chain
The attack begins with an HTA file that fetches a trojanised NSIS installer. Bundled inside is a Python loader disguised as an innocuous LICENSE.txt file. Once run, the loader rewrites Windows Registry entries to establish persistence, then decrypts and loads the Starland RAT itself.
On execution, Starland checks for sandbox environments before adding scheduled tasks and Startup folder entries, and attempts privilege escalation. It then harvests browser data, credentials from more than 40 desktop and browser-extension cryptocurrency wallets, detailed system fingerprints (HWID, RAM, processor, OS, computer name, region, public IP and installed antivirus products), and Active Directory information including domain structure, domain controllers and the victim's domain privileges. That AD reconnaissance capability is the part security leads should flag immediately — a compromised endpoint isn't just a stolen password, it's a scouting report for lateral movement across the domain.
Two payload branches, two different risks
Starland RAT can capture screenshots, run shell commands, inject 32-bit or 64-bit shellcode, and pull down further payloads. Talos observed the chain splitting in two directions: the 64-bit path delivers CastleStealer, an info-stealer built to grab browser credentials, crypto wallet data, Discord and Telegram sessions, Steam logins and filesystem files. The 32-bit path deploys Remcos RAT, giving attackers keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management and full remote command execution.
For UK organisations, this means a single trojanised installer can produce two very different incident profiles — a quiet credential-and-wallet theft, or a fully interactive remote-access compromise with surveillance capability. Response playbooks need to account for both, which is where a tested incident response plan earns its keep.

Command-and-control built to survive takedowns
Talos also found that if Starland's hardcoded C2 address goes offline, the malware queries a Polygon blockchain smart contract to retrieve an XOR-encrypted fallback domain — a resilience trick that makes simple domain blocklisting far less effective. Alongside this, UAT-11795 is using a previously undocumented PowerShell-based C2 framework named WLDR, which beacons using PBKDF2-SHA256 encryption, runs entirely in memory, and binds each payload to the victim's specific hardware identifier. In practice, that combination of blockchain fallback and memory-resident, hardware-locked C2 makes static signature detection and simple network blocking unreliable defences on their own.
What UK IT and security buyers should do now
Because Zoom and WebEx sit on almost every UK remote and hybrid worker's device, procurement and IT teams should treat this as a supply-chain and endpoint-integrity issue, not a one-off malware alert. Talos has published indicators of compromise that should be fed directly into detection tooling, and Talos recommends that users avoid running any command found online that they don't fully understand, and download software only from confirmed official vendor portals.
Practical steps for UK estates include auditing installer sources across the fleet, verifying digital signatures on Zoom, WebEx and similar clients, and checking for the scheduled tasks and registry persistence patterns described above. Teams should also revisit how they secure remote and hybrid workers who install their own collaboration software, and consider whether current tooling can actually spot in-memory, hardware-bound C2 traffic. This is a good moment to evaluate the best EDR platforms against exactly this kind of trojanised-installer, fileless-C2 scenario, and to pair detection with managed detection & response for continuous monitoring rather than periodic checks.
View the data behind this chart
| Starland RAT | CastleStealer | Remcos RAT | |
|---|---|---|---|
| Delivery path | Initial loader | 64-bit shellcode | 32-bit shellcode |
| Credential theft | Browser data | Browser creds | Keylogging |
| Crypto wallet targeting | 40+ wallets | Wallet data | No |
| Surveillance capability | Screenshots | Discord/Telegram | Webcam+audio |
| AD/domain recon | Yes | No | No |
| Remote control | Shell commands | No | Full RCE |
The bottom line for procurement
Starland RAT is a reminder that the weakest link in remote-work security isn't always the vendor's software — it's the installer path between download and desktop. UK buyers should push suppliers and internal teams to confirm software provenance, and should strengthen zero-trust controls so that a single compromised client can't freely reach Active Directory or wallet data. Given the credential and crypto theft focus here, it's also worth revisiting how well current defences bolster ransomware protection, since stolen domain privileges and AD reconnaissance are frequently the precursor to a follow-on ransomware event. Organisations without a clear view of installer integrity across their estate should treat that gap as the priority fix, not an afterthought.
