2026-07-17 · view entry permalink →
Cisco Talos: UAT-11795 deploys the Python-based Starland RAT and a bespoke PowerShell C2 implant (WLDR), resolving fallback C2 through a Polygon blockchain dead-drop
Cisco Talos documented UAT-11795, a financially motivated actor whose intrusions begin with a ClickFix lure: a clipboard-pasted command invokes mshta.exe to fetch a weaponized HTA, whose VBScript drops a batch file that stages an NSIS-packaged installer masquerading as a legitimate IT/collaboration tool (MobaXterm, Cisco WebEx, Zoom, DBeaver, the FACEIT client) and writes a HKCU\...\Run\MyApp value pointing back at mshta.exe (Cisco Talos, 2026-07-16). The installer bundles pythonw.exe plus a compiled Python loader disguised as LICENSE.txt that XOR-decrypts and runs "Starland RAT" entirely in memory. Starland checks for sandbox usernames/hostnames and a Downloads Zone.Identifier ADS before proceeding, persists via a scheduled task named PythonLauncher-{3 random chars} (AtLogOn, RunLevel Highest) plus a Startup-folder LNK, enumerates 40+ desktop and browser-extension crypto wallets, and beacons a Telegram bot before registering to its primary C2. If that registration fails it calls a Polygon smart contract via eth_call/JSON-RPC and XOR-decrypts the returned string to recover a fallback C2 domain — a blockchain dead-drop resolver that survives conventional domain/IP takedown (Cisco Talos, 2026-07-16). On command, Starland fetches shellcode via APC-based injection that first patches AMSI/ETW in memory (hash-resolved AmsiScanBuffer/EtwEventWrite overwritten, with a VirtualProtect fallback) and reflectively loads either CastleStealer (.NET credential/wallet stealer, x64 path) or a Remcos variant (x32). Separately it has been seen shell-executing a curl download of a bespoke PowerShell C2 framework the actor's own scripts label "WLDR" — HWID-bound, AES-encrypted 10-second beaconing with a Chrome-124 User-Agent, executing operator PowerShell through a 10-thread RunspacePool.
Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.