Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Russian hackers trojanize WebEx, Zoom apps to push Starland malware

0
Medium
Malwareweb
Published: 07/16/2026 (07/16/2026, 10:19:34 UTC)
Source: Bleeping Computer

Description

A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT. [...]

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/16/2026, 10:47:48 UTC

Technical Analysis

The Russian threat actor UAT-11795 employs trojanized installers of legitimate applications including WebEx, Zoom, MobaXterm, DBeaver, and FaceIT to deploy the Starland RAT. The infection chain begins with an HTA file that downloads a trojanized NSIS installer containing a Python loader, which establishes persistence by modifying the Windows Registry and decrypts the Starland RAT. Starland collects browser and cryptocurrency wallet data, system hardware and software details, and Active Directory information. It also captures screenshots, executes shell commands, injects shellcode (32- and 64-bit), and downloads additional payloads. The 64-bit shellcode delivers CastleStealer info-stealer malware, while the 32-bit chain delivers Remcos RAT, which provides keylogging, webcam capture, audio recording, and remote command execution. The malware uses a redundant C2 communication method involving a Polygon smart contract and an undocumented PowerShell C2 framework called WLDR that operates in memory with encrypted communications. The attacks have been ongoing since mid-2025, primarily targeting U.S. users but also affecting Germany, Romania, and Venezuela. Cisco Talos recommends using IoCs for detection and advises downloading software only from official sources.

Potential Impact

The Starland RAT campaign enables attackers to steal sensitive credentials, including browser and cryptocurrency wallet data, and gather detailed system and network information such as Active Directory domain structure and privileges. The malware’s capabilities include persistence, privilege escalation, remote command execution, and delivery of additional malware payloads (CastleStealer and Remcos RAT), which further compromise victim systems by stealing credentials, monitoring user activity, and enabling remote control. This can lead to significant data theft, financial loss, and unauthorized access within targeted environments.

Mitigation Recommendations

No official patch or fix is available for this malware campaign. Organizations should leverage the indicators of compromise (IoCs) published by Cisco Talos to detect and respond to infections. Users should avoid executing unknown commands found online and only download software from verified official vendor portals. Employing endpoint detection and response (EDR) solutions that can detect the described behaviors and payloads is recommended. Regularly updating security tools to recognize Starland RAT and associated malware is advised.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Article Source
{"url":"https://www.bleepingcomputer.com/news/security/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware/","fetched":true,"fetchedAt":"2026-07-16T10:47:37.128Z","wordCount":767}

Threat ID: 6a58b6c968715ace43e0496c

Added to database: 07/16/2026, 10:47:37 UTC

Last enriched: 07/16/2026, 10:47:48 UTC

Last updated: 07/16/2026, 17:52:56 UTC

Views: 28

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses