A Russian cybercrime group known as UAT-11795 is targeting users with fake versions of popular software to steal passwords, cryptocurrency, and other sensitive information. The attacks have been active since at least June 2025, mainly affecting users in the United States, with victims observed in Germany, Romania, and Venezuela.
Researchers at Cisco Talos found that the attackers disguise malware as installers for trusted tools such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Once installed, the malware deploys a new backdoor called Starland RAT, which gives attackers remote access to infected computers.
Starland RAT collects browser data, cryptocurrency wallet information, system details, and Active Directory data. It can also take screenshots, run commands, and download more malware. In the observed attacks, the malware delivered CastleStealer to steal browser and crypto wallet data, and Remcos RAT, which supports keylogging, webcam access, screen recording, and remote control.
Cisco Talos also discovered that the threat actor uses a new PowerShell command-and-control framework called WLDR, which operates entirely in memory and encrypts its communications. Talos’ report also provides the Indicators of Compromise (IoCs) to help detect and block the attacks.