Russian Hackers Trojanize WebEx and Zoom to Spread Starland Malware

www.news4hackers.com-russian-hackers-trojanize-webex-and-zoom-to-spread-starland-malware-russian-hackers-trojanize-webex-and-zoom-to-spread-starland-malware

Russian threat actors deploy malicious software to distribute Starland malware through compromised video conferencing tools

UAT-11795 Threat Group and Starland RAT

A financially driven Russian threat group identified as UAT-11795 has been utilizing modified software installations to extract credentials and cryptocurrency through a newly discovered backdoor known as Starland RAT. Investigations by Cisco Talos indicate these operations have been active since at least June 2025, primarily targeting users in the United States, with additional incidents reported in Germany, Romania, and Venezuela.

Distribution Methods

Researchers observed the threat actor distributing malicious payloads via altered installers for legitimate applications including MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. While the exact delivery method remains unconfirmed, analysts suggest the malicious files may be distributed using the ClickFix technique.

Attack Sequence

The attack sequence begins with an HTA file that downloads a compromised NSIS installer disguised as a text document (LICENSE.txt). This component modifies the Windows Registry to maintain persistence before decrypting and loading the Starland RAT.

Data Targeted by StarlandRAT

Once executed, the malware performs sandbox detection, creates scheduled tasks and Startup folder entries for continued access, and attempts to escalate privileges. The malware targets specific data types on infected systems, including:

  • Browser data and cryptocurrency wallet assets, encompassing over 40 desktop and browser-based wallets
  • System details such as hardware identifiers, RAM, processor specifications, operating system information, computer names, regional settings, public IP addresses, and installed antivirus solutions
  • Active Directory information, including domain architecture, domain controllers, and user privileges within the compromised network

Capabilities of StarlandRAT

StarlandRAT also enables screenshot capture of the victim’s desktop, execution of shell commands, and injection of 32- or 64-bit shellcode. Analysis revealed that the 64-bit shellcode chain deploys CastleStealer, an information-stealing malware targeting browser credentials, cryptocurrency wallet details, Discord and Telegram sessions, Steam login information, and file system data. The 32-bit chain delivers Remcos RAT, which provides capabilities such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.

C2 Infrastructure and Detection

Cisco Talos noted the malware’s command-and-control (C2) infrastructure includes a redundancy mechanism that queries a Polygon smart contract for an XOR-encrypted fallback domain if primary addresses fail. Researchers also identified a novel PowerShell C2 framework named WLDR, which employs PBKDF2-SHA256 encrypted beaconing, operates entirely in memory, and ties payload delivery to each victim’s hardware identifier.

According to Cisco Talos, organizations are advised to implement the indicators of compromise (IoCs) outlined in the Cisco Talos report to mitigate risks. Users should refrain from executing unverified commands and conduct thorough testing of all system layers before potential exploitation. Security teams report that 54% of successful breaches go undetected, with only 14% triggering alerts. Advanced threat simulation tools can help validate detection capabilities and identify gaps in security postures.

Conclusion

The Starland RAT campaign highlights the evolving tactics of threat actors leveraging compromised software to steal sensitive data. Organizations must remain vigilant, implement robust security measures, and stay updated on emerging threats to protect their systems and users.



About Author

en_USEnglish