Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    Windows 11 24H2 Home and Pro reach end of support in 90 days

    July 16, 2026

    Russian hackers trojanize WebEx, Zoom apps to push Starland malware

    July 16, 2026

    Google Gemini CLI abused as a hacking agent, malware botnet operator

    July 16, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Russian hackers trojanize WebEx, Zoom apps to push Starland malware
    News

    Russian hackers trojanize WebEx, Zoom apps to push Starland malware

    adminBy adminJuly 16, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Russian hackers trojanize WebEx, Zoom apps to push Starland malware

    A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.

    Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well.

    According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.

    image

    Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method.

    In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt).

    The loader modifies the Windows Registry to establish persistence and then decrypts and loads the Starland remote access trojan (RAT).

    When launched, Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence, and tries to increase its privileges.

    The malware looks for the following types of data on the compromised system:

    • Browser data and cryptocurrency wallet assets, including more than 40 desktop and browser-extension wallets
    • System details, including the HWID, RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
    • Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges

    StarlandRAT can also capture screenshots of the victim’s desktop, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads (EXEs, MSIs, DLLs, ZIPs).

    In the observed attacks, the 64-bit shellcode chain delivers the CastleStealer info-stealer malware, while the 32-bit chain delivers the Remcos remote access trojan (RAT).

    CastleStealer targets browser credentials, cryptocurrency wallet information, Discord and Telegram sessions, Steam credentials, and filesystem files.

    Remcos RAT provides capabilities such as keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.

    Overview of the UAT-11795 attack chain
    Overview of the UAT-11795 attack chain
    Source: Cisco Talos

    Cisco Talos highlights that the malware’s command-and-control (C2) communication has a redundancy mechanism if reaching the hardcoded address fails, which involves querying a Polygon smart contract with an XOR-encrypted fallback domain.

    Talos also discovered that UAT-11795 uses a previously undocumented PowerShell C2 framework called WLDR, which uses encrypted (PBKDF2-SHA256) beaconing and communications, operates entirely in memory, and binds payload delivery to each victim’s hardware identifier.

    To defend against UAT-11795 attacks, organizations should use the indicators of compromise IoCs in the Cisco Talos report.

    Users should avoid executing commands found online if they don’t understand what they do and should download software only from confirmed official vendor portals.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleGoogle Gemini CLI abused as a hacking agent, malware botnet operator
    Next Article Windows 11 24H2 Home and Pro reach end of support in 90 days
    admin
    • Website

    Related Posts

    News

    Windows 11 24H2 Home and Pro reach end of support in 90 days

    July 16, 2026
    News

    Google Gemini CLI abused as a hacking agent, malware botnet operator

    July 16, 2026
    News

    CIS Benchmarks July 2026 Update

    July 15, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    Windows 11 24H2 Home and Pro reach end of support in 90 days

    July 16, 2026

    Russian hackers trojanize WebEx, Zoom apps to push Starland malware

    July 16, 2026

    Google Gemini CLI abused as a hacking agent, malware botnet operator

    July 16, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.