Full Report
Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.
Analysis Summary
# Threat Actor: UAT-11795
## Attribution & Identity
* **Name/Alias:** UAT-11795
* **Language/Origin:** Russian-speaking
* **Motivation:** Financially motivated
* **Characteristics:** Sophisticated adversary utilizing custom-built malware and resilient C2 techniques.
## Activity Summary
* **Operational Window:** Active since at least June 2025.
* **Campaign Overview:** A multi-stage malicious campaign involving the distribution of trojanized installers to deploy novel RATs (Starland RAT) and memory implants (WLDR agent). The actor leverages hijacked domains and blockchain-based fallback mechanisms to maintain persistence and evade detection.
## Tactics, Techniques & Procedures
* **Defense Evasion:** Use of "CastleStealer" with Russian locale exclusion checks (to avoid infecting Russian systems) and hardcoded build expiry timestamps.
* **C2 Resilience:** Implementation of a Polygon smart contract to store XOR-encrypted fallback C2 domains.
* **Execution:** PowerShell-based Runspace execution engine for in-memory payload delivery.
* **Exfiltration:** Use of Telegram bots for execution notification beacons and inventorying victim assets.
* **Lure Strategy:** Use of trojanized installers for popular software (MobaXterm, Zoom, DBeaver) and "ClickFix" HTML application (HTA) stagers.
* **MITRE ATT&CK IDs:**
* T1059.001 (PowerShell)
* T1548.002 (Bypass User Account Control)
* T1027 (Obfuscated Files or Information)
* T1584.001 (Domains)
* T1055 (Process Injection)
* T1102.001 (Web Service: Dead Drop Resolver)
## Targeting
* **Sectors:** Opportunistic/Volume-driven; targets IT administration, software development, enterprise collaboration, and consumer gaming.
* **Geography:** Primarily the United States; secondary impacts in Germany, Romania, and Venezuela.
* **Victims:** Users of MobaXterm, Cisco WebEx, Zoom, DBeaver, and FACEIT.
## Tools & Infrastructure
* **Malware Families:**
* **Starland RAT:** Python-based remote access tool.
* **WLDR Agent:** PowerShell-based C2 memory implant.
* **CastleStealer:** Credential harvester targeting Chromium/Firefox, crypto wallets, and session files.
* **Remcos RAT:** Commercial remote administration tool used for post-exploitation.
* **Infrastructure (Defanged):**
* **Staging/C2:** eorthopaedics[.]com, sastoro[.]com, web-devtools[.]com, zynaris[.]io, windowscreenrepairnearme[.]com, aipythondevs[.]com.
* **Blockchain Fallback:** Polygon smart contract `0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba`.
* **Telegram Bots:** `8384531459` (skuefq_bot), `7993597060` (komandastuk_bot).
## Implications
UAT-11795 demonstrates a high level of operational security and technical proficiency by using custom implants (WLDR) and blockchain resolvers. Their ability to hijack legitimate domains and trojanize trusted IT/developer tools indicates a significant threat to organizational supply chains and administrative accounts. The financial focus on cryptocurrency and credentials suggests a direct impact on asset liquidity for victims.
## Mitigations
* **Software Verification:** Enforce strict application whitelisting and verify hashes/code-signing certificates for all administrative and collaboration software.
* **PowerShell Security:** Implement Constrained Language Mode and enable enhanced logging (Script Block Logging) to detect WLDR-style memory implants.
* **Endpoint Monitoring:** Monitor for unauthorized SQLite database access (specifically browser credential files) and suspicious outbound connections to Telegram APIs or known RPC nodes for blockchain lookups.
* **Network Defense:** Block communication with the identified C2 domains and monitor for HWID-based URL patterns in web logs.