AI-generated · no human review · verify operationally critical claims against the linked primary source.how it works →
UAT-11795
actor
· actor:uat-11795single-source
Russian-speaking, financially motivated threat actor active since at least June 2025, distributing trojanized installers (MobaXterm, WebEx, Zoom, DBeaver, FACEIT) via ClickFix lures to deploy the Python-based Starland RAT and a bespoke PowerShell C2 implant tracked as WLDR, with CastleStealer and a Remcos variant as follow-on payloads (Cisco Talos, 2026-07-16).
12 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Execution TA0002
T1053.005Scheduled Task/Job: Scheduled Task×1
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
T1059.001Command and Scripting Interpreter: PowerShell×1
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
T1059.006Command and Scripting Interpreter: Python×1
Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.
T1204.004User Execution: Malicious Copy and Paste×1
An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code
Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).
Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.
Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.
Cisco Talos documented UAT-11795, a financially motivated actor whose intrusions begin with a ClickFix lure: a clipboard-pasted command invokes mshta.exe to fetch a weaponized HTA, whose VBScript drops a batch file that stages an NSIS-packaged installer masquerading as a legitimate IT/collaboration tool (MobaXterm, Cisco WebEx, Zoom, DBeaver, the FACEIT client) and writes a HKCU\...\Run\MyApp value pointing back at mshta.exe (Cisco Talos, 2026-07-16). The installer bundles pythonw.exe plus a compiled Python loader disguised as LICENSE.txt that XOR-decrypts and runs "Starland RAT" entirely in memory. Starland checks for sandbox usernames/hostnames and a Downloads Zone.Identifier ADS before proceeding, persists via a scheduled task named PythonLauncher-{3 random chars} (AtLogOn, RunLevel Highest) plus a Startup-folder LNK, enumerates 40+ desktop and browser-extension crypto wallets, and beacons a Telegram bot before registering to its primary C2. If that registration fails it calls a Polygon smart contract via eth_call/JSON-RPC and XOR-decrypts the returned string to recover a fallback C2 domain — a blockchain dead-drop resolver that survives conventional domain/IP takedown (Cisco Talos, 2026-07-16). On command, Starland fetches shellcode via APC-based injection that first patches AMSI/ETW in memory (hash-resolved AmsiScanBuffer/EtwEventWrite overwritten, with a VirtualProtect fallback) and reflectively loads either CastleStealer (.NET credential/wallet stealer, x64 path) or a Remcos variant (x32). Separately it has been seen shell-executing a curl download of a bespoke PowerShell C2 framework the actor's own scripts label "WLDR" — HWID-bound, AES-encrypted 10-second beaconing with a Chrome-124 User-Agent, executing operator PowerShell through a 10-thread RunspacePool.
Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.