UAT-11795 trojanized installer campaign targeting users across multiple countries
Campaign
Summary
Hide ▲
Show ▼
The UAT-11795 campaign is using trojanized installers to spread Starland RAT and steal credentials and cryptocurrency from users in multiple countries. Activity has continued since at least June 2025, with observed victims in the U.S., Germany, Romania, and Venezuela. The delivery chain abuses legitimate software lures such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT, and may be pushed through the ClickFix method. The operation also delivers CastleStealer and Remcos RAT, widening the theft and remote-access risk for exposed users.
Related Happenings
UAT-11795 Starland RAT trojanized installer malware activity
Malware Activity
H score31
First: 16.07.2026 13:19
Last: 16.07.2026 13:19
Sources 1
How related:
A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
About this happening:
The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries....
UAT-11795 Starland RAT trojanized installer malware activity
Malware ActivityHow related: A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
About this happening: The UAT-11795 malware activity is using trojanized installers to deploy Starland RAT, putting credentials and cryptocurrency wallets at risk across multiple countries....
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
UAT-10027 U.S. education and healthcare targeting campaign
Campaign
H score34
First: 26.02.2026 17:17
Last: 26.02.2026 17:17
Sources 1
About this happening:
UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...
UAT-10027 U.S. education and healthcare targeting campaign
CampaignAbout this happening: UAT-10027 is running an active campaign against U.S. education and healthcare organizations, and the activity matters because it delivers a new backdoor and supporting...
UAT-7290 Linux malware suite targets edge devices with ORB tooling
Malware Activity
H score33
First: 09.01.2026 01:39
Last: 09.01.2026 01:39
Sources 1
About this happening:
UAT-7290 is actively using a Linux-based malware suite to compromise public-facing edge devices and support telco cyber-espionage. The group relies on one-day ex...
UAT-7290 Linux malware suite targets edge devices with ORB tooling
Malware ActivityAbout this happening: UAT-7290 is actively using a Linux-based malware suite to compromise public-facing edge devices and support telco cyber-espionage. The group relies on one-day ex...
Timeline
-
16.07.2026 13:19 2 articles · 1h ago
UAT-11795 trojanized installer campaign targeting users across multiple countries
Initial DisclosureEarly activity in June 2025 used trojanized installers for trusted software to seed the infection chain, initially emphasizing users in the U.S. and later showing spread to Germany, Romania, and Venezuela. The delivery path centered on an HTA file, a trojanized NSIS installer, and a Python loader disguised as LICENSE.txt.
Show sources
- Russian hackers trojanize WebEx, Zoom apps to push Starland malware — www.bleepingcomputer.com — 16.07.2026 13:19
- Russian hackers trojanize WebEx, Zoom apps to push Starland malware — www.bleepingcomputer.com — 16.07.2026 13:19