Starland RAT Malware: Russian Hackers Exploit Trojanized Installers

Article Content
The ClickFix Conundrum: UAT-11795 Unleashes Trojanized Software Campaign
In the rapidly evolving threat landscape, the convergence of social engineering and sophisticated post-exploitation tooling presents a persistent headache for enterprise security teams. On July 16, 2026, Cisco Talos published a detailed threat intelligence report revealing a highly organized, financially motivated campaign orchestrated by a Russian-speaking threat actor tracked as UAT-11795. Operating since at least June 2025, this adversary has weaponized everyday business collaboration tools, developer utilities, and network administrator applications to compromise environments across the United States and Europe. At the core of this operation lies the deployment of a novel Python-based backdoor dubbed Starland RAT, alongside a bespoke, memory-only PowerShell command-and-control (C2) implant known as the WLDR agent.
Unlike traditional campaigns relying on zero-day exploits, UAT-11795 leverages the high-trust relationship users have with tools such as Cisco Webex, Zoom, MobaXterm, DBeaver, and the FACEIT gaming platform. By trojanizing these installers, the threat actor bypasses standard perimeter defenses, turning a routine software installation into a deep network compromise. The campaign stands out not just for its delivery mechanism, but for its highly resilient C2 infrastructure, which notably incorporates blockchain-anchored fallback channels.
Initial Access: Deconstructing the “ClickFix” Delivery Loop
The infection chain begins far before the victim executes the trojanized installer. UAT-11795 relies heavily on ClickFix social engineering techniques—a growing trend where users are tricked into manually executing system commands. Typically, victims are lured to compromised or malicious websites displaying fake errors, such as browser rendering issues, missing document fonts, or failed video playback prompts. The site guides the user to “resolve” the issue by copying a specific instruction sequence to their clipboard and pasting it directly into a Windows Run dialog or a PowerShell prompt.
Once pasted, this command initiates a highly structured attack chain designed to establish persistence before the main payloads are ever deployed:
- Stager Execution: The initial command invokes the legitimate Windows utility
mshta.exeto fetch and run a weaponized HTML Application (HTA) file hosted on the threat actor’s infrastructure. - VBScript Dropper: Inside the HTA file, an embedded VBScript is executed. This script drops a Windows batch (BAT) file that subsequently downloads and runs the trojanized installer.
- Registration Notification: Concurrently, the VBScript sends execution confirmation alerts back to an actor-controlled Telegram bot, profiling the target system in real-time.
- Initial Persistence: The VBScript immediately registers an entry in the Current User Run registry key (
HKCU\Software\Microsoft\Windows\CurrentVersion\Run) named “MyApp”. This entry is configured to re-fetch and execute the remote HTA file at every system logon, ensuring a persistent foothold even if subsequent steps fail.
The Trojanized Installer Payload Delivery
To keep the victim unaware of the underlying compromise, UAT-11795 bundles their malware inside Nullsoft Scriptable Install System (NSIS) installers that mimic popular software. These packages execute both the clean application and the malicious setup sequence simultaneously. The target application set includes:
- MobaXterm (MobaXterm_v26.1.exe): A popular terminal and network administration utility commonly used by IT professionals.
- Cisco Webex & Zoom (WebEx_Client.exe and Zoom installers): Ubiquitous enterprise communication and collaboration platforms.
- DBeaver Community Edition (dbeaver-ce-windows-x86_64.exe): An open-source SQL client and database manager used heavily by developers and database administrators.
- FACEIT (FaceitInstaller_x64.exe): A popular competitive gaming client, suggesting an effort to broaden their victim profile beyond corporate assets to high-value consumer endpoints.
When the victim executes the fake installer, the NSIS script launches a bundled, legitimate Python runtime executable (pythonw.exe). Rather than executing a standard Python file, it points to a compiled, byte-encrypted Python loader disguised as a benign text file named LICENSE.txt. This loader uses an inline XOR-decryption routine with a hardcoded hex key of 0xC6 to unpack, load, and execute the core payload directly within memory.
Technical Breakdown of Starland RAT and Evasion Tactics
The primary payload executed by the custom Python loader is Starland RAT. Written in Python and engineered specifically for Windows operating systems, this novel Remote Access Trojan provides the threat actor with deep interactive control over the victim’s endpoint. Because it runs directly from the memory buffer of the Python runtime, it minimizes on-disk footprints, making traditional file-based antivirus signatures largely ineffective.
Dynamic API Resolution via ctypes
To interact with the underlying Windows subsystem without triggering static import alerts, Starland RAT avoids importing standard library modules that map to high-risk APIs. Instead, during its initial execution phase, it dynamically resolves and maps required Windows API function signatures using Python’s ctypes interface. The malware explicitly loads kernel32.dll using WinDLL and defines argument and return types for a suite of process injection and memory manipulation calls, including:
VirtualAllocExandVirtualProtectExfor allocating and modifying memory permissions.WriteProcessMemoryto write malicious payloads into target process spaces.CreateRemoteThread,QueueUserAPC, andResumeThreadfor controlling execution flow and thread hijacking.
Furthermore, the RAT declares custom ctypes Structure subclasses that mirror the Windows Software Development Kit (SDK) definitions for critical structures like SECURITY_ATTRIBUTES, STARTUPINFO, and PROCESS_INFORMATION. This advanced mapping architecture ensures the malware can perform process hollowing and memory injection stealthily on the fly.
Anti-Analysis and System Reconnaissance
Before launching its core functionality, Starland RAT performs exhaustive environment checks to detect if it is running inside an analysis environment or sandbox. The malware compares the local system’s hostname and username against hardcoded lists associated with popular security vendor environments. Specifically, it actively checks for names like WDAGUtilityAccount (Windows Defender Application Guard) and variables linked to environments like Cuckoo Sandbox and Any.Run. If a sandbox environment is detected, the RAT terminates immediately to prevent analysis.
On a legitimate target system, the RAT shifts to system profiling. It collects system specifications such as the Hardware ID (HWID), RAM capacity, and active antivirus products using Windows Management Instrumentation (WMI) calls (e.g., via Get-CimInstance). To map out the organizational structure, it queries the local Active Directory topology by executing commands such as nltest /dclist. Finally, the RAT captures an image of the victim’s desktop, encodes it, and exfiltrates it alongside the profiling data to the primary command-and-control server.
Polygon Blockchain: The Ultimate C2 Fail-Safe
One of the most remarkable features of the UAT-11795 campaign is its command-and-control resilience. While the Starland RAT maintains primary, hardcoded C2 domains, the threat actor recognized that web-based security filters and threat-hunting analysts could quickly block these addresses. To circumvent this, they implemented a decentralized, blockchain-anchored fallback mechanism.
If the RAT fails to establish a connection with its primary C2 servers, it triggers an eth_call via JSON-RPC to the public Polygon RPC gateway (polygon-rpc.com). It directs this call to a specific, deployed smart contract: 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba, calling the function selector 0xc659f3b8 to fetch the latest block data. The smart contract returns an encrypted hexadecimal string containing backup C2 domain addresses. The RAT retrieves this payload, decrypts it using its internal XOR routine, and dynamically reconfigures its outbound communication parameters. By storing fallback domains on an immutable public ledger, the threat actors ensure that as long as the victim’s network allows access to standard Web3 RPC endpoints, the backdoor can never be completely severed from its controllers.
The WLDR Agent: Sophisticated PowerShell in Memory
While Starland RAT functions as the main gateway, UAT-11795 frequently deploys a secondary, highly evasive C2 framework known as the WLDR agent. Operating entirely in memory, this bespoke PowerShell-based implant is designed to evade modern Endpoint Detection and Response (EDR) agents by leveraging a multi-stage loader and memory execution framework.
The loading process of the WLDR agent is highly structured:
- Encrypted Payload Parsing: The WLDR loader queries the C2 server and receives a JSON response containing an encrypted envelope.
- Key Derivation: The loader processes this response by deriving a 64-byte decryption key using PBKDF2-SHA256. This is calculated using a hardcoded plaintext password (
odg5t8mvssvh) and a unique salt transmitted in the JSON package. - Scope Injection: Upon successful decryption, the loader writes the resolved C2 URL and the decrypted session key directly into the global PowerShell environment scope. This makes these parameters globally available to the main WLDR agent thread while keeping them out of plain command-line arguments.
- Managed Runspaces: The decrypted agent executes inside a managed .NET Runspace engine. This allows the implant to run concurrent tasks asynchronously without spawning new
powershell.exeprocesses, which would immediately trigger process creation alerts in EDR systems.
The WLDR agent maintains an interactive command loop with its C2 server via encrypted HTTP beaconing. It supports a task queuing system, enabling the threat actor to queue up reconnaissance scripts, administrative commands, or custom modules that are dynamically loaded and executed directly in memory.
Targeting Assets: Credential Theft and Crypto Harvesting
The primary objective of the UAT-11795 group is financial gain
Written by
TempMail Ninja
Digital privacy and online security expert. Passionate about creating tools that protect users' identity on the internet.


