Find notable cyber news and cases, enriched with sources, timelines, and signals.

UAT-11795 trojanized installer campaign targeting users across multiple countries

Campaign
First reported
Last updated
Happening score
H score 35
1 unique sources, 1 articles

Summary

Hide ▲

The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has continued since at least June 2025, with observed victims in the U.S., Germany, Romania, and Venezuela. The delivery chain abuses legitimate software lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT, and may be pushed through the ClickFix method. The operation also delivers CastleStealer and Remcos RAT, widening the theft and remote-access risk for exposed users.

Related Happenings

UAT-11795 Starland RAT trojanized installer malware activity

Malware Activity
H score31 First: 16.07.2026 13:19 Last: 16.07.2026 13:19 Sources 1

How related: A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.

About this happening: The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries....

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...

UAT-10027 U.S. education and healthcare targeting campaign

Campaign
H score34 First: 26.02.2026 17:17 Last: 26.02.2026 17:17 Sources 1

About this happening: UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...

UAT-7290 Linux malware suite targets edge devices with ORB tooling

Malware Activity
H score33 First: 09.01.2026 01:39 Last: 09.01.2026 01:39 Sources 1

About this happening: UAT-7290 is actively using a Linux-based malware suite to compromise public-facing edge devices and support telco cyber-espionage. The group relies on one-day ex...

Timeline

  1. 16.07.2026 13:19 2 articles · 1h ago

    UAT-11795 trojanized installer campaign targeting users across multiple countries

    Initial Disclosure

    Early activity in June 2025 used trojanized installers for trusted software to seed the infection chain, initially emphasizing users in the U.S. and later showing spread to Germany, Romania, and Venezuela. The delivery path centered on an HTA file, a trojanized NSIS installer, and a Python loader disguised as LICENSE.txt.

    Show sources