Novel Starland RAT and bespoke WLDR C2 implant deployed in financially motivated campaign
A Russian-speaking financially motivated threat actor known as UAT-11795 has been conducting a campaign since June 2025 targeting users in the United States and Europe. The campaign uses trojanized installers of legitimate software to deliver a Python-based remote access tool called Starland RAT and a PowerShell-based command-and-control implant named WLDR agent. The operation aims to harvest credentials and steal cryptocurrency wallet assets while maintaining persistence for further payload delivery. Additional malware such as CastleStealer and Remcos RAT are also used. The infrastructure includes distributed staging, C2 domains, Telegram bots for notifications, and a Polygon smart contract fallback for C2 resolution.
AI Analysis
Technical Summary
The UAT-11795 adversary group deploys a financially motivated malware campaign leveraging trojanized installers of popular software (MobaXterm, WebEx, Zoom, DBeaver, FACEIT) to distribute Starland RAT (Python-based) and the WLDR PowerShell implant. The WLDR implant features encrypted beaconing, task queuing, and a Runspace execution engine for executing payloads in memory. The campaign targets credential harvesting and cryptocurrency theft, establishing persistent access for additional payloads including CastleStealer and Remcos RAT. The attacker infrastructure uses distributed staging servers, multiple C2 domains, Telegram bots for operator notifications, and a Polygon blockchain smart contract as a fallback mechanism for C2 domain resolution. The campaign has been active since June 2025, focusing on victims in the US and Europe.
Potential Impact
The campaign enables unauthorized remote access to victim systems, credential theft, and cryptocurrency wallet compromise. Persistent access allows the adversary to deploy additional malware and maintain control over infected hosts. The use of trojanized legitimate software installers increases the likelihood of successful infection. The financial motivation and targeting of cryptocurrency assets indicate potential direct monetary loss to victims.
Mitigation Recommendations
No official patch or remediation is indicated for this malware campaign. Mitigation should focus on user awareness to avoid installing trojanized software, verifying software authenticity from official sources, and monitoring for indicators of compromise related to Starland RAT, WLDR agent, CastleStealer, and Remcos RAT. Network defenders should consider blocking known C2 domains and Telegram bot communications associated with this campaign. Since this is a malware campaign rather than a software vulnerability, patching is not applicable.
Affected Countries
United States
Indicators of Compromise
- domain: windowscreenrepairnearme.com
- ip: 193.149.176.254
- hash: a6821c7e9bfe2e6af0f690d906ec6a26161e2198c256fb60f3b4731c317f3ad9
- ip: 74.114.119.201
- domain: zynaris.io
- hash: c33f097fdb2b69b4cbb1c3f29ae88b43
- hash: 650e751e8ee5f5958c6a70288a24a4e3d19904a2
- hash: 162e436f18fe6099c57855c8d63fd747493624e87702dc749b242eb9a6b758ca
- hash: 17e41d66ebfd56edc960f58f4285697ceceaa812514bb15092672c747979896e
- hash: 1a01ad25712d306f27f526332fdccf959f2de53207b54e4e80f60faa804d6cb6
- hash: 1b46f761719dce44baa2d7b417c5214fc41c080f7f9ba485e7e489d949097f1f
- hash: 2751281d3800d82ecd3fad7c1d2293f3b947875a343b0672b4f4024a261165d2
- hash: 2a27b3415114b874da295c19cce5227a8b8d9525cc2da331034a1f45528eecae
- hash: 2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
- hash: 365024336c7681ac0854321ac6c140a245b9593285da02d2a590124cdc592370
- hash: 36e3838d07978f49ebe6546d57d2f311b8d6566558bcd58448e921c988cc346a
- hash: 451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949
- hash: 47dedb08385449d48d8b6543030310317c92cddafa25e14ee0cb9a32d53ced5c
- hash: 575ce92c473e6d47810321e309a4e29dd7f52f4152526b0bdca80f54b53aed2f
- hash: 5b9bf7957a9f8869c87ace1a6d76b48e2623073e72739ad0636b5dfa4bb2e0c3
- hash: 603fd9724de346a06e00c1b8502c2ac1180812a18bbf30032dab8d469e5c18e1
- hash: 6ae334ce60d1a9b7fb96d1d0d0eda5ec7c2c31d3f0cf3e4d7e3056504d50043d
- hash: 6ca7a458985350ac082a9c9820d7f8d39128a4c4bda2f5d32f169a45b7b22bc6
- hash: 7dc77a5abab119960fbe42b1535c957020cce1b8e0a3cf58d4eddc51b5bf9940
- hash: 896185a89bd7eb0520b03fdcfb8db0be98b43cf15f14041d73b23d3988c1bcab
- hash: 964256d3259b6e0c701ec04116c45cf0ec381c1c209dc29b09a7930cd7a4810b
- hash: a080b5380ccc8fc40b24c02151d305efc32d931dc547881e01a2e6f2b070c7dc
- hash: a1835d333ac3db961a8ff1f4864e3c10a6f73a872c040599091390a009ac7804
- hash: a32ac345e39cb7606322e2155bd7b4d6941c1678619e48d1f14d9301ee53e6c0
- hash: a59742d3086924c5f511d248df01601bfbf723359590fb3f3ba355f2792cc455
- hash: d52540621dec5ed56cac8532f0e4fe10a7575c3e17e984f59646909fa587dd35
- hash: ddcf66ecc61dc6b8cd36748d284d8cb45a470201b5373dd2bfc47700c7da32e1
- hash: f4491736743a16f1278b8ba01649ee93343764e35ae5e1c0d5e0c0e1d7e32c14
- hash: f8da52ff98e66b137b5d31908f0a5d0fa1eb446034337f8bba3d5bba60f586be
- url: https://eorthopaedics.com/feed/cew78zwvd2/
- url: https://eorthopaedics.com/feed/gnsmetadyx54/
- url: https://eorthopaedics.com/feed/note
- url: https://sastoro.com/alpha/dpyb8w3ycih8/
- url: https://sastoro.com/alpha/nrpilqjnut/
- url: https://web-devtools.com/dopfile
- url: https://web-devtools.com/file.zip
- url: https://web-devtools.com/starlandfox
- url: https://web-devtools.com/x32remka
- url: https://windowscreenrepairnearme.com/command
- domain: aipythondevs.com
- domain: alphabitcapital.info
- domain: eorthopaedics.com
- domain: niggerdemon.in
- domain: sastoro.com
- domain: web-devtools.com
Novel Starland RAT and bespoke WLDR C2 implant deployed in financially motivated campaign
Description
A Russian-speaking financially motivated threat actor known as UAT-11795 has been conducting a campaign since June 2025 targeting users in the United States and Europe. The campaign uses trojanized installers of legitimate software to deliver a Python-based remote access tool called Starland RAT and a PowerShell-based command-and-control implant named WLDR agent. The operation aims to harvest credentials and steal cryptocurrency wallet assets while maintaining persistence for further payload delivery. Additional malware such as CastleStealer and Remcos RAT are also used. The infrastructure includes distributed staging, C2 domains, Telegram bots for notifications, and a Polygon smart contract fallback for C2 resolution.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The UAT-11795 adversary group deploys a financially motivated malware campaign leveraging trojanized installers of popular software (MobaXterm, WebEx, Zoom, DBeaver, FACEIT) to distribute Starland RAT (Python-based) and the WLDR PowerShell implant. The WLDR implant features encrypted beaconing, task queuing, and a Runspace execution engine for executing payloads in memory. The campaign targets credential harvesting and cryptocurrency theft, establishing persistent access for additional payloads including CastleStealer and Remcos RAT. The attacker infrastructure uses distributed staging servers, multiple C2 domains, Telegram bots for operator notifications, and a Polygon blockchain smart contract as a fallback mechanism for C2 domain resolution. The campaign has been active since June 2025, focusing on victims in the US and Europe.
Potential Impact
The campaign enables unauthorized remote access to victim systems, credential theft, and cryptocurrency wallet compromise. Persistent access allows the adversary to deploy additional malware and maintain control over infected hosts. The use of trojanized legitimate software installers increases the likelihood of successful infection. The financial motivation and targeting of cryptocurrency assets indicate potential direct monetary loss to victims.
Mitigation Recommendations
No official patch or remediation is indicated for this malware campaign. Mitigation should focus on user awareness to avoid installing trojanized software, verifying software authenticity from official sources, and monitoring for indicators of compromise related to Starland RAT, WLDR agent, CastleStealer, and Remcos RAT. Network defenders should consider blocking known C2 domains and Telegram bot communications associated with this campaign. Since this is a malware campaign rather than a software vulnerability, patching is not applicable.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/"]
- Adversary
- UAT-11795
- Pulse Id
- 6a58c1aa702b1130710d1bfb
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainwindowscreenrepairnearme.com | — | |
domainzynaris.io | — | |
domainaipythondevs.com | — | |
domainalphabitcapital.info | — | |
domaineorthopaedics.com | — | |
domainniggerdemon.in | — | |
domainsastoro.com | — | |
domainweb-devtools.com | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip193.149.176.254 | — | |
ip74.114.119.201 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hasha6821c7e9bfe2e6af0f690d906ec6a26161e2198c256fb60f3b4731c317f3ad9 | — | |
hashc33f097fdb2b69b4cbb1c3f29ae88b43 | — | |
hash650e751e8ee5f5958c6a70288a24a4e3d19904a2 | — | |
hash162e436f18fe6099c57855c8d63fd747493624e87702dc749b242eb9a6b758ca | — | |
hash17e41d66ebfd56edc960f58f4285697ceceaa812514bb15092672c747979896e | — | |
hash1a01ad25712d306f27f526332fdccf959f2de53207b54e4e80f60faa804d6cb6 | — | |
hash1b46f761719dce44baa2d7b417c5214fc41c080f7f9ba485e7e489d949097f1f | — | |
hash2751281d3800d82ecd3fad7c1d2293f3b947875a343b0672b4f4024a261165d2 | — | |
hash2a27b3415114b874da295c19cce5227a8b8d9525cc2da331034a1f45528eecae | — | |
hash2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3 | — | |
hash365024336c7681ac0854321ac6c140a245b9593285da02d2a590124cdc592370 | — | |
hash36e3838d07978f49ebe6546d57d2f311b8d6566558bcd58448e921c988cc346a | — | |
hash451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949 | — | |
hash47dedb08385449d48d8b6543030310317c92cddafa25e14ee0cb9a32d53ced5c | — | |
hash575ce92c473e6d47810321e309a4e29dd7f52f4152526b0bdca80f54b53aed2f | — | |
hash5b9bf7957a9f8869c87ace1a6d76b48e2623073e72739ad0636b5dfa4bb2e0c3 | — | |
hash603fd9724de346a06e00c1b8502c2ac1180812a18bbf30032dab8d469e5c18e1 | — | |
hash6ae334ce60d1a9b7fb96d1d0d0eda5ec7c2c31d3f0cf3e4d7e3056504d50043d | — | |
hash6ca7a458985350ac082a9c9820d7f8d39128a4c4bda2f5d32f169a45b7b22bc6 | — | |
hash7dc77a5abab119960fbe42b1535c957020cce1b8e0a3cf58d4eddc51b5bf9940 | — | |
hash896185a89bd7eb0520b03fdcfb8db0be98b43cf15f14041d73b23d3988c1bcab | — | |
hash964256d3259b6e0c701ec04116c45cf0ec381c1c209dc29b09a7930cd7a4810b | — | |
hasha080b5380ccc8fc40b24c02151d305efc32d931dc547881e01a2e6f2b070c7dc | — | |
hasha1835d333ac3db961a8ff1f4864e3c10a6f73a872c040599091390a009ac7804 | — | |
hasha32ac345e39cb7606322e2155bd7b4d6941c1678619e48d1f14d9301ee53e6c0 | — | |
hasha59742d3086924c5f511d248df01601bfbf723359590fb3f3ba355f2792cc455 | — | |
hashd52540621dec5ed56cac8532f0e4fe10a7575c3e17e984f59646909fa587dd35 | — | |
hashddcf66ecc61dc6b8cd36748d284d8cb45a470201b5373dd2bfc47700c7da32e1 | — | |
hashf4491736743a16f1278b8ba01649ee93343764e35ae5e1c0d5e0c0e1d7e32c14 | — | |
hashf8da52ff98e66b137b5d31908f0a5d0fa1eb446034337f8bba3d5bba60f586be | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://eorthopaedics.com/feed/cew78zwvd2/ | — | |
urlhttps://eorthopaedics.com/feed/gnsmetadyx54/ | — | |
urlhttps://eorthopaedics.com/feed/note | — | |
urlhttps://sastoro.com/alpha/dpyb8w3ycih8/ | — | |
urlhttps://sastoro.com/alpha/nrpilqjnut/ | — | |
urlhttps://web-devtools.com/dopfile | — | |
urlhttps://web-devtools.com/file.zip | — | |
urlhttps://web-devtools.com/starlandfox | — | |
urlhttps://web-devtools.com/x32remka | — | |
urlhttps://windowscreenrepairnearme.com/command | — |
Threat ID: 6a59782068715ace4305c1cc
Added to database: 07/17/2026, 00:32:32 UTC
Last enriched: 07/17/2026, 00:48:49 UTC
Last updated: 07/17/2026, 03:35:36 UTC
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.