Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-11795 Starland RAT trojanized installer malware activity

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries. The operation has been observed since at least June 2025 and has focused on users in the U.S., with additional victims in Germany, Romania, and Venezuela. Delivery uses lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT. Once installed, the backdoor can persist, collect system and browser data, capture screenshots, and load additional payloads.

Related Happenings

UAT-11795 trojanized installer campaign targeting users across multiple countries

Campaign
H score35 First: 16.07.2026 13:19 Last: 16.07.2026 13:19 Sources 1

How related: A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.

About this happening: The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has co...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...

UAT-10027 U.S. education and healthcare targeting campaign

Campaign
H score34 First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...

Contagious Interview npm malicious package campaign

Campaign
H score39 First: 28.11.2025 18:18 Last: 28.11.2025 18:18 Sources 1

About this happening: The Contagious Interview campaign expanded with 197 more malicious npm packages, extending a supply-chain delivery route that targets npm users and developers. The pac...

Timeline

  1. 16.07.2026 13:19 2 articles · 1h ago

    UAT-11795 deploys Starland RAT through trojanized installers

    Initial Disclosure

    UAT-11795, a financially motivated Russian threat actor, uses trojanized installers for MobaXterm, WebEx, Zoom, DBeaver, and FaceIT to deploy Starland RAT and steal credentials and cryptocurrency. The activity has been observed since at least June 2025 and has focused on users in the U.S., with victims also observed in Germany, Romania, and Venezuela.

    Show sources