UAT-11795 Starland RAT trojanized installer malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries. The operation has been observed since at least June 2025 and has focused on users in the U.S., with additional victims in Germany, Romania, and Venezuela. Delivery uses lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Once installed, the backdoor can persist, collect system and browser data, capture screenshots, and load additional payloads.
Related Happenings
UAT-11795 trojanized installer campaign targeting users across multiple countries
Campaign
H score35
First: 16.07.2026 13:19
Last: 16.07.2026 13:19
Sources 1
How related:
A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
About this happening:
The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has co...
UAT-11795 trojanized installer campaign targeting users across multiple countries
CampaignHow related: A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
About this happening: The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has co...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
H score34
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...
Contagious Interview npm malicious package campaign
Campaign
H score39
First: 28.11.2025 18:18
Last: 28.11.2025 18:18
Sources 1
About this happening:
The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The pac...
Contagious Interview npm malicious package campaign
CampaignAbout this happening: The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The pac...
Timeline
-
16.07.2026 13:19 2 articles · 1h ago
UAT-11795 deploys Starland RAT through trojanized installers
Initial DisclosureUAT-11795, a financially motivated Russian threat actor, uses trojanized installers for MobaXterm, WebEx, Zoom, DBeaver, and FaceIT to deploy Starland RAT and steal credentials and cryptocurrency. The activity has been observed since at least June 2025 and has focused on users in the U.S., with victims also observed in Germany, Romania, and Venezuela.
Show sources
- Russian hackers trojanize WebEx, Zoom apps to push Starland malware — www.bleepingcomputer.com — 16.07.2026 13:19
- Russian hackers trojanize WebEx, Zoom apps to push Starland malware — www.bleepingcomputer.com — 16.07.2026 13:19