Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Novel Starland RAT and bespoke WLDR C2 implant deployed in financially motivated campaign

0
Medium
Published: 07/16/2026 (07/16/2026, 11:34:02 UTC)
Source: AlienVault OTX General

Description

A Russian-speaking financially motivated threat actor known as UAT-11795 has been conducting a campaign since June 2025 targeting users in the United States and Europe. The campaign uses trojanized installers of legitimate software to deliver a Python-based remote access tool called Starland RAT and a PowerShell-based command-and-control implant named WLDR agent. The operation aims to harvest credentials and steal cryptocurrency wallet assets while maintaining persistence for further payload delivery. Additional malware such as CastleStealer and Remcos RAT are also used. The infrastructure includes distributed staging, C2 domains, Telegram bots for notifications, and a Polygon smart contract fallback for C2 resolution.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:48:49 UTC

Technical Analysis

The UAT-11795 adversary group deploys a financially motivated malware campaign leveraging trojanized installers of popular software (MobaXterm, WebEx, Zoom, DBeaver, FACEIT) to distribute Starland RAT (Python-based) and the WLDR PowerShell implant. The WLDR implant features encrypted beaconing, task queuing, and a Runspace execution engine for executing payloads in memory. The campaign targets credential harvesting and cryptocurrency theft, establishing persistent access for additional payloads including CastleStealer and Remcos RAT. The attacker infrastructure uses distributed staging servers, multiple C2 domains, Telegram bots for operator notifications, and a Polygon blockchain smart contract as a fallback mechanism for C2 domain resolution. The campaign has been active since June 2025, focusing on victims in the US and Europe.

Potential Impact

The campaign enables unauthorized remote access to victim systems, credential theft, and cryptocurrency wallet compromise. Persistent access allows the adversary to deploy additional malware and maintain control over infected hosts. The use of trojanized legitimate software installers increases the likelihood of successful infection. The financial motivation and targeting of cryptocurrency assets indicate potential direct monetary loss to victims.

Mitigation Recommendations

No official patch or remediation is indicated for this malware campaign. Mitigation should focus on user awareness to avoid installing trojanized software, verifying software authenticity from official sources, and monitoring for indicators of compromise related to Starland RAT, WLDR agent, CastleStealer, and Remcos RAT. Network defenders should consider blocking known C2 domains and Telegram bot communications associated with this campaign. Since this is a malware campaign rather than a software vulnerability, patching is not applicable.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://blog.talosintelligence.com/uat-11795-deploys-novel-starland-rat-and-bespoke-wldr-c2-implant-in-financially-motivated-campaign/"]
Adversary
UAT-11795
Pulse Id
6a58c1aa702b1130710d1bfb
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainwindowscreenrepairnearme.com
domainzynaris.io
domainaipythondevs.com
domainalphabitcapital.info
domaineorthopaedics.com
domainniggerdemon.in
domainsastoro.com
domainweb-devtools.com

Ip

ValueDescriptionCopy
ip193.149.176.254
ip74.114.119.201

Hash

ValueDescriptionCopy
hasha6821c7e9bfe2e6af0f690d906ec6a26161e2198c256fb60f3b4731c317f3ad9
hashc33f097fdb2b69b4cbb1c3f29ae88b43
hash650e751e8ee5f5958c6a70288a24a4e3d19904a2
hash162e436f18fe6099c57855c8d63fd747493624e87702dc749b242eb9a6b758ca
hash17e41d66ebfd56edc960f58f4285697ceceaa812514bb15092672c747979896e
hash1a01ad25712d306f27f526332fdccf959f2de53207b54e4e80f60faa804d6cb6
hash1b46f761719dce44baa2d7b417c5214fc41c080f7f9ba485e7e489d949097f1f
hash2751281d3800d82ecd3fad7c1d2293f3b947875a343b0672b4f4024a261165d2
hash2a27b3415114b874da295c19cce5227a8b8d9525cc2da331034a1f45528eecae
hash2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3
hash365024336c7681ac0854321ac6c140a245b9593285da02d2a590124cdc592370
hash36e3838d07978f49ebe6546d57d2f311b8d6566558bcd58448e921c988cc346a
hash451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949
hash47dedb08385449d48d8b6543030310317c92cddafa25e14ee0cb9a32d53ced5c
hash575ce92c473e6d47810321e309a4e29dd7f52f4152526b0bdca80f54b53aed2f
hash5b9bf7957a9f8869c87ace1a6d76b48e2623073e72739ad0636b5dfa4bb2e0c3
hash603fd9724de346a06e00c1b8502c2ac1180812a18bbf30032dab8d469e5c18e1
hash6ae334ce60d1a9b7fb96d1d0d0eda5ec7c2c31d3f0cf3e4d7e3056504d50043d
hash6ca7a458985350ac082a9c9820d7f8d39128a4c4bda2f5d32f169a45b7b22bc6
hash7dc77a5abab119960fbe42b1535c957020cce1b8e0a3cf58d4eddc51b5bf9940
hash896185a89bd7eb0520b03fdcfb8db0be98b43cf15f14041d73b23d3988c1bcab
hash964256d3259b6e0c701ec04116c45cf0ec381c1c209dc29b09a7930cd7a4810b
hasha080b5380ccc8fc40b24c02151d305efc32d931dc547881e01a2e6f2b070c7dc
hasha1835d333ac3db961a8ff1f4864e3c10a6f73a872c040599091390a009ac7804
hasha32ac345e39cb7606322e2155bd7b4d6941c1678619e48d1f14d9301ee53e6c0
hasha59742d3086924c5f511d248df01601bfbf723359590fb3f3ba355f2792cc455
hashd52540621dec5ed56cac8532f0e4fe10a7575c3e17e984f59646909fa587dd35
hashddcf66ecc61dc6b8cd36748d284d8cb45a470201b5373dd2bfc47700c7da32e1
hashf4491736743a16f1278b8ba01649ee93343764e35ae5e1c0d5e0c0e1d7e32c14
hashf8da52ff98e66b137b5d31908f0a5d0fa1eb446034337f8bba3d5bba60f586be

Url

ValueDescriptionCopy
urlhttps://eorthopaedics.com/feed/cew78zwvd2/
urlhttps://eorthopaedics.com/feed/gnsmetadyx54/
urlhttps://eorthopaedics.com/feed/note
urlhttps://sastoro.com/alpha/dpyb8w3ycih8/
urlhttps://sastoro.com/alpha/nrpilqjnut/
urlhttps://web-devtools.com/dopfile
urlhttps://web-devtools.com/file.zip
urlhttps://web-devtools.com/starlandfox
urlhttps://web-devtools.com/x32remka
urlhttps://windowscreenrepairnearme.com/command

Threat ID: 6a59782068715ace4305c1cc

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:48:49 UTC

Last updated: 07/17/2026, 03:35:36 UTC

Views: 11

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses