Russian-Speaking Cyber Threat Actor UAT-11795 Targets Western Infrastructure with Novel Malware and Blockchain-Based Command Channels

The cybersecurity landscape has been significantly altered by the emergence of a sophisticated Russian-speaking threat actor, currently identified by Cisco Talos as UAT-11795, which has launched a series of aggressive campaigns targeting organizations and individuals across the United States and Europe. Since its first recorded activities in June 2023, this group has demonstrated a high degree of technical proficiency, utilizing a combination of novel malware, social engineering tactics, and decentralized blockchain technology to maintain persistence and exfiltrate sensitive data. The primary objectives of the group appear to be financially motivated, focusing heavily on the theft of credentials and cryptocurrency assets, while simultaneously establishing long-term access to compromised systems for potential secondary exploitation.
According to researchers at Cisco Talos, the threat actor’s operations are characterized by the deployment of two previously undocumented tools: a Python-based remote access trojan (RAT) dubbed Starland RAT and a PowerShell-based memory implant known as the WLDR agent. These tools are designed to operate stealthily, bypassing traditional perimeter defenses by piggybacking on legitimate, widely used software installers. The group’s ability to hide its activities within the memory of infected machines and utilize unconventional command-and-control (C2) channels—including smart contracts on the Polygon blockchain—marks a notable evolution in the tactics employed by financially motivated cybercriminal syndicates.
Chronology and Evolution of UAT-11795 Operations
The activity of UAT-11795 was first observed in mid-2023, with researchers tracing the origins of the group’s infrastructure to June of that year. One of the earliest indicators of the group’s organization was the creation of a private Telegram channel titled "stuk komanda." This channel, which remains active with a small number of subscribers, is believed to serve as a hub for the threat actor to monitor the progress of their campaigns and potentially coordinate with other members of the Russian-speaking underground.
Over the past year, the group has refined its delivery mechanisms. Initially focusing on smaller-scale credential harvesting, the campaign expanded in late 2023 and early 2024 to target high-value users in the corporate and technical sectors. By trojanizing software that is essential for remote work and system administration—such as WebEx, Zoom, and MobaXterm—UAT-11795 has managed to infiltrate environments where traditional security awareness training might expect users to feel safe. The geographic focus of the attacks has remained steady, with the majority of infections identified in the United States, followed by significant clusters in Germany and Romania. Isolated incidents have also been reported in Venezuela, suggesting that while the group is focused on Western targets, its reach is opportunistic and global.
Technical Analysis of the Malware Toolkit: Starland RAT and WLDR Agent
The core of the UAT-11795 arsenal lies in its bespoke malware. The Starland RAT is a Python-based tool that provides the attackers with comprehensive control over the victim’s machine. Because it is written in Python, the malware can be easily obfuscated and adapted, making it difficult for signature-based antivirus solutions to detect. Starland RAT is primarily used for the exfiltration of browser data, including saved passwords and cookies, as well as the identification and theft of cryptocurrency wallet files. Its capabilities include file management, remote shell execution, and the ability to download and execute additional payloads as instructed by the C2 server.
Complementing the Starland RAT is the WLDR agent, a sophisticated PowerShell-based implant that operates entirely in-memory. This "fileless" approach is a deliberate tactic to avoid detection by endpoint detection and response (EDR) systems that monitor for suspicious files on disk. The WLDR agent features a modular design, utilizing a Runspace execution engine to run additional scripts and payloads without spawning new processes. Its primary functions include encrypted beaconing, where the malware periodically "checks in" with the attacker’s server to receive new tasks, and task queuing, which allows the attackers to schedule actions even when they are not actively monitoring the victim’s machine.
Perhaps the most innovative aspect of the WLDR agent is its fallback mechanism. If the primary C2 server is taken down or blocked, the agent is programmed to query a specific smart contract on the Polygon blockchain. By reading the data stored within this decentralized contract, the malware can retrieve the address of a new C2 server. This use of blockchain technology provides the threat actor with a resilient, censorship-resistant infrastructure that is nearly impossible for law enforcement or security researchers to dismantle through traditional domain-seizure methods.
The ClickFix Social Engineering Strategy
UAT-11795 gains initial access to target systems through a deceptive social engineering technique known as "ClickFix." This method exploits the trust users place in their software and their desire to quickly resolve technical issues. In a typical scenario, a user visiting a compromised or malicious website is presented with a fake error message, often disguised as a notification from a legitimate service like Google Chrome, Microsoft Word, or a video conferencing tool. The message claims that a specific component is missing or that a "fix" must be applied to view the content.
The user is then prompted to copy a specific command to their clipboard and run it via the Windows "Run" dialog or a PowerShell terminal. Once executed, this command triggers a chain of events:
- HTA Execution: The command downloads and executes a remotely hosted, weaponized HTML Application (HTA) file.
- VBScript Deployment: The HTA file runs an embedded VBScript that operates silently in the background.
- Batch File Drop: The script drops a Windows batch file into the user’s temporary application folder.
- Trojanized Installer: This batch file contains instructions to download and install a "trojanized" version of legitimate software—such as Zoom, WebEx, or MobaXterm—from an attacker-controlled staging domain.
While the user believes they are installing or updating a necessary tool, the installer simultaneously deploys the Starland RAT and the WLDR agent. This method is particularly effective because it bypasses traditional email filters and firewalls, relying entirely on the user to authorize the initial execution of the malicious command.
Industry Reactions and Security Implications
The discovery of UAT-11795 has prompted warnings from across the cybersecurity industry. Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, highlighted the danger of attackers exploiting the tools that the modern workforce relies on most. "By hiding the Starland RAT inside trusted software and likely utilizing deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities," Patel noted. He emphasized that as remote and hybrid work becomes the standard, the tools used for collaboration have become the primary attack surface.
Gabrielle Hempel, a security operations strategist at Exabeam, suggested that this campaign represents a fundamental shift in how organizations should approach vulnerability management. "We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems," Hempel said. She argued that the traditional focus on Common Vulnerabilities and Exposures (CVEs) is insufficient if an organization cannot verify the provenance of the binaries running on its network. "If your security program can’t answer ‘where did this binary come from?’ as quickly as it can answer ‘is this CVE patched?’ then you are behind on your threat model."
Broader Impact and Recommendations for Defense
The rise of UAT-11795 underscores a broader trend in the cyber threat landscape: the professionalization of Russian-speaking cybercriminal groups that prioritize financial gain through technical ingenuity. The group’s focus on cryptocurrency theft is particularly telling, as it allows for the rapid monetization of successful infections. Furthermore, the targeting of IT administration tools like MobaXterm suggests that the group is also interested in gaining access to high-privilege accounts, which could lead to large-scale data breaches or ransomware deployment in the future.
To defend against UAT-11795 and similar threats, security experts recommend a multi-layered approach:
- Verification of Software Provenance: Organizations should implement strict policies regarding the installation of software, ensuring that all binaries are downloaded only from official, verified sources.
- Monitoring for Persistence: Security teams should actively monitor for the creation of unexpected scheduled tasks, registry modifications, and unusual PowerShell activity, which are common indicators of Starland RAT and WLDR agent presence.
- User Education: Training programs must evolve to include specific warnings about "ClickFix" tactics, emphasizing that users should never copy and paste commands from websites into their terminals.
- Memory-Based Detection: Since the WLDR agent operates in-memory, traditional file-based scanning is inadequate. Organizations should deploy EDR solutions capable of inspecting memory for malicious code patterns and anomalous behavior.
As UAT-11795 continues to refine its methods, the integration of blockchain technology and advanced social engineering signals a new era of persistent and resilient cyber threats. The ability of these actors to operate in the shadows of legitimate software poses a significant challenge to global cybersecurity, requiring a shift from reactive patching to proactive, identity-centric, and binary-aware defense strategies.







