ctipilot.ch

WLDR

tool · tool:wldr-c2-implant single-source

Bespoke, undocumented PowerShell in-memory C2 implant deployed by UAT-11795 via Starland RAT's shell-command capability; HWID-bound, with AES-encrypted 10-second HTTP beaconing and a multi-threaded RunspacePool operator-command engine (Cisco Talos, 2026-07-16).

Aliases: WLDR agent, WLDR C2

Coverage timeline
1
first 2026-07-17 → last 2026-07-17
Peak priority
notable
1 notable
Sources cited
1
1 hosts
Sections touched
1
active-threats
Co-occurring entities
3
see Related entities below
ATT&CK techniques
12
pinned v19.1 · see below

ATT&CK techniques

12 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Execution TA0002

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1059.001Command and Scripting Interpreter: PowerShell×1

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python×1

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1204.004User Execution: Malicious Copy and Paste×1

An adversary may rely upon a user copying and pasting code in order to gain execution. Users may be subjected to social engineering to get them to copy and paste code directly into a Command and Scripting Interpreter. One such strategy is "ClickFix," in which adversaries present users with seemingly helpful solutions—such as prompts to fix errors or complete CAPTCHAs—that instead instruct the user to copy and paste malicious code.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Persistence TA0003

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Privilege Escalation TA0004

T1053.005Scheduled Task/Job: Scheduled Task×1

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library and Windows Management Instrumentation (WMI) to create a scheduled task. Adversaries may also utilize the Powershell Cmdlet `Invoke-CimMethod`, which leverages WMI class `PS_ScheduledTask` to create a scheduled task via an XML path.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1547.001Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder×1

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Stealth TA0005

T1036Masquerading×1

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1055Process Injection×1

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1218.005System Binary Proxy Execution: Mshta×1

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

T1620Reflective Code Loading×1

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk (e.g., Shared Modules).

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Defense Impairment TA0112

T1685Disable or Modify Tools×1

Adversaries may disable, degrade, or tamper with security tools or applications (e.g., endpoint detection and response (EDR) tools, intrusion detection systems (IDS), antivirus, logging agents, sensors, etc.) to impair or reduce visibility of defensive capabilities. This may include stopping specific services, killing processes, modifying or deleting tool configuration files and Registry keys, or preventing tools from updating. This may also include impairing defenses more broadly by disrupting preventative, detection, and response mechanisms across host, network, and cloud environments.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Discovery TA0007

T1082System Information Discovery×1

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use this information to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. This behavior is distinct from Local Storage Discovery which is an adversary's discovery of local drive, disks and/or volumes.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Command and Control TA0011

T1102.001Web Service: Dead Drop Resolver×1

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Evidence: 2026-07-17/talos-uat-11795-starland-rat-wldr-c2 · ATT&CK page ↗

Story timeline

  1. 2026-07-17Cisco Talos: UAT-11795 deploys the Python-based Starland RAT and a bespoke PowerShell C2 implant (WLDR), resolving fallback C2 through a Polygon blockchain dead-drop
    active-threatsTalos details UAT-11795 — ClickFix-delivered Starland RAT with a blockchain dead-drop C2 and a bespoke WLDR PowerShell implant

Relationships explore in graph

Typed, source-stated connections from the entity registry — each edge cites the entry whose reporting establishes it.

used by

Where this entity is cited

  • active-threats1

Source distribution

  • blog.talosintelligence.com1 (100%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about WLDR (1)

2026-07-17 · view entry permalink →

NOTABLENATOB2

Cisco Talos: UAT-11795 deploys the Python-based Starland RAT and a bespoke PowerShell C2 implant (WLDR), resolving fallback C2 through a Polygon blockchain dead-drop

Cisco Talos documented UAT-11795, a financially motivated actor whose intrusions begin with a ClickFix lure: a clipboard-pasted command invokes mshta.exe to fetch a weaponized HTA, whose VBScript drops a batch file that stages an NSIS-packaged installer masquerading as a legitimate IT/collaboration tool (MobaXterm, Cisco WebEx, Zoom, DBeaver, the FACEIT client) and writes a HKCU\...\Run\MyApp value pointing back at mshta.exe (Cisco Talos, 2026-07-16). The installer bundles pythonw.exe plus a compiled Python loader disguised as LICENSE.txt that XOR-decrypts and runs "Starland RAT" entirely in memory. Starland checks for sandbox usernames/hostnames and a Downloads Zone.Identifier ADS before proceeding, persists via a scheduled task named PythonLauncher-{3 random chars} (AtLogOn, RunLevel Highest) plus a Startup-folder LNK, enumerates 40+ desktop and browser-extension crypto wallets, and beacons a Telegram bot before registering to its primary C2. If that registration fails it calls a Polygon smart contract via eth_call/JSON-RPC and XOR-decrypts the returned string to recover a fallback C2 domain — a blockchain dead-drop resolver that survives conventional domain/IP takedown (Cisco Talos, 2026-07-16). On command, Starland fetches shellcode via APC-based injection that first patches AMSI/ETW in memory (hash-resolved AmsiScanBuffer/EtwEventWrite overwritten, with a VirtualProtect fallback) and reflectively loads either CastleStealer (.NET credential/wallet stealer, x64 path) or a Remcos variant (x32). Separately it has been seen shell-executing a curl download of a bespoke PowerShell C2 framework the actor's own scripts label "WLDR" — HWID-bound, AES-encrypted 10-second beaconing with a Chrome-124 User-Agent, executing operator PowerShell through a 10-thread RunspacePool.

Cisco Talos is disclosing UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary that has been conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025.

Cisco Talos 2026-07-16
threat17 Jul 04:35Zsingle-sourceOpen finding ↗
Sources: Cisco Talos