More than 40 desktop and browser-extension cryptocurrency wallets are among the specific targets of a new malware campaign that researchers say has been active since at least June 2025.
UAT-11795's trojanized installers
Researchers at Cisco Talos attribute the campaign to a financially motivated Russian threat actor tracked as UAT-11795. Talos says the actor distributes malicious payloads by trojanizing legitimate installers for widely used applications — MobaXterm, WebEx, Zoom, DBeaver, and FaceIT — and has focused primarily on users in the United States, with additional victims observed in Germany, Romania, and Venezuela.
The initial infection chain, as described by Cisco Talos, begins with an HTA file that retrieves a trojanized NSIS installer. That installer contains a Python loader disguised as a text file named LICENSE.txt. Talos could not confirm the exact delivery mechanism to victims, but the researchers speculate the malicious files are likely pushed using the ClickFix method.
How the Starland RAT operates
Once the loader runs, it modifies the Windows Registry to establish persistence and decrypts and loads a remote access trojan Talos calls Starland. When launched, Starland performs sandbox checks, creates scheduled tasks and Startup folder items to persist across reboots, and attempts to elevate privileges.
Cisco Talos lists the types of data Starland seeks on compromised systems, including:
- Browser data and cryptocurrency wallet assets — including more than 40 desktop and browser-extension wallets
- System details such as hardware ID (HWID), RAM, processor, operating system, computer name, region, public IP address, and installed antivirus products
- Active Directory information including domain structure, domain controllers, and the victim’s domain privileges
Starland also can capture screenshots, execute shell commands, inject 32- or 64-bit shellcode, and download additional payloads packaged as EXEs, MSIs, DLLs, or ZIPs.
CastleStealer and Remcos: the secondary payloads
Cisco Talos observed that Starland branches into two shellcode delivery chains. The 64-bit chain delivers CastleStealer, an info-stealer that targets browser credentials, cryptocurrency wallet information, Discord and Telegram sessions, Steam credentials, and filesystem files. The 32-bit chain delivers Remcos, a remote access trojan that provides keylogging, webcam and screen capture, audio recording, clipboard monitoring, file management, and remote command execution.
Command-and-control redundancy and the WLDR framework
Cisco Talos highlights two notable aspects of the campaign’s command-and-control (C2) design. First, if Starland cannot reach a hardcoded C2 address, it has a redundancy mechanism that involves querying a Polygon smart contract to obtain an XOR-encrypted fallback domain. Second, Talos discovered a previously undocumented PowerShell C2 framework used by UAT-11795, which Talos names WLDR.
WLDR, according to Talos, uses encrypted beaconing and communications based on PBKDF2-SHA256, operates entirely in memory (fileless), and ties payload delivery to each victim’s hardware identifier — a capability that binds operations to specific infected machines.
What this means for security teams, software buyers, and cryptocurrency holders
Security teams: Cisco Talos recommends using the indicators of compromise (IoCs) published in its report. The campaign’s ability to deliver multiple, targeted payloads and its C2 redundancy underline the need to monitor for the HTA–NSIS–Python loader chain, registry persistence modifications, and in-memory PowerShell activity.
Software procurement and end users: Talos’s advice is straightforward — avoid executing commands found online if you do not understand them, and download software only from confirmed official vendor portals. The use of trojanized installers for legitimate applications highlights risk in informal download channels.
Cryptocurrency holders and wallet operators: Because CastleStealer targets browser and desktop wallets as well as extension-based wallets, efforts to harden wallet security — including careful vetting of installed extensions and limiting exposure of private keys on endpoints — are implicated by the technical details Talos describes.
Cisco Talos’s report also cites detection gaps that amplify the urgency: an external whitepaper noted in the same advisory finds security teams log 54% of successful attacks and alert on just 14%, a shortfall Talos’s findings suggest could let multi-stage campaigns like UAT-11795 move through environments unseen.
The technical contours are clear: trojanized installers, an obfuscated Python loader, a modular RAT that fetches additional specialized malware, and a layered C2 fallback using blockchain infrastructure and an in-memory PowerShell framework. For defenders, the immediate steps Talos sets out — IoC hunting, stricter download controls, and skepticism about running unsolicited commands — are concrete actions that match the campaign’s tactics. For investigators, the use of a Polygon smart contract and the WLDR framework pose new traces to follow.
Read Cisco Talos’s analysis via the original story at BleepingComputer.




