Cisco sounds alarm over new Russian malware campaign hitting firms in US and Europe
UAT-11795 is weaponizing legitimate software such as WebEx and Zoom to dupe victims
Cisco Talos has uncovered a new Russian-speaking threat actor aggressively targeting victims across the United States and Europe.
Tracked as UAT-11795, the group has been active since June last year, and uses trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT to steal credentials and cryptocurrency.
A staple of the threat actor’s activities lies in deployment of two previously undocumented tools: Starland RAT and WLDR agent. The first of these is a Python-based remote access tool, while WLDR agent is a PowerShell-based C2 memory implant.
WLDR agent runs entirely in-memory, and features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads.
Both are built to steal credentials, browser data, and cryptocurrency wallet assets while keeping persistent access to victim machines. The group even hides a fallback command-and-control channel in a Polygon smart contract, Cisco Talos said.
UAT-11795 targets victims' credentials and cryptocurrency wallet assets, establishing a persistent connection to the victims' machines from the C2 server, with the potential to deliver and execute further payloads.
How UAT-11795 operates
Most infections have been spotted in the US, according to Cisco Talos, although Germany, Romania, and Venezuela have also been hit.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
UAT-11795 gains initial access to the victim machine through a ClickFix social engineering technique that entices the user to execute a command, which then stealthily downloads and executes a remotely hosted weaponized HTA file.
This runs an embedded VBScript that drops a Windows batch file into the user profile’s application temporary folder, containing instructions to first download and implant a trojanized installer from the attacker-controlled staging domain onto the victim machine.
Muhammad Yahya Patel, CISO and cybersecurity advisor at Huntress, said the campaign is the latest in a string of attacks by hackers using “the very tools our remote and hybrid workers rely on”.
"By hiding the Starland RAT inside trusted software and likely utilising deceptive ClickFix social engineering tactics, these threat actors are completely bypassing traditional perimeter defenses to exploit human psychology rather than software vulnerabilities."
Talos’ research also uncovered a private live Telegram channel called “stuk komanda”, controlled by the same threat actor, created last June, and with three unknown subscribers.
Exercise caution when using video conferencing tools
Gabrielle Hempel, security operations strategist at Exabeam, said while the campaign specifically targets popular video conferencing software, one needn't avoid using Zoom or WebEx.
They should, however, exercise caution. This includes making efforts to verify where software comes from, monitor for unexpected processes and persistence mechanisms.
Elsewhere, Hempel said users shouldn't assume that 'signed installer' means a program is safe.
"This story is so interesting, not because of the trojans, but because of the way it shifts how we need to think about vulnerability management," she said.
"We often measure a program’s security maturity by patch SLAs, but we’re seeing so many successful intrusions starting with users executing software they believe is legitimate and not just unpatched systems. If your security program can’t answer 'where did this binary come from?' as quickly as it can answer 'is this CVE patched?' then you are behind on your threat model."
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
‘The risk to every organization has increased exponentially’: The FortiBleed campaign just took a turn for the worseNews Reports suggest that FortiBleed-linked exposed credentials could put UK government and public services at huge risk
-
US offers $10m bounty for info on Russia-linked hackers behind Signal and WhatsApp attacksNews UNC5792 and UNC4221 have been targeting government officials through their Signal and WhatsApp accounts
-
Russian hackers are weaponizing CRMs, Ukraine’s former foreign minister warnsNews Dr Dmytro Kuleba told IT leaders in London that everyday business software is being actively exploited by nation-states
-
A ‘perfect storm’: NCSC chief issues warning over quantum threats, nation-state hackers, and the dangers of global ‘hacktivism’News NCSC CEO Richard Horne says nation-state attacks, AI and the looming quantum threat require stronger global collaboration
-
NCSC issues alert over Russian hacker campaign targeting SOHO routersNews The APT28 group has exploited vulnerable internet routers to covertly reroute internet traffic through malicious servers
-
Cloudflare warns state-backed hackers are ‘weaponizing legitimate enterprise ecosystems’ as ‘living off the land’ attacks surgeNews Chinese, North Korean, and Russian-backed threat groups now favor longer-term compromises over brute force attacks
-
This potent malware variant can hijack your Windows PC, steal passwords, and more: Neptune RAT is spreading on GitHub, Telegram, and even YouTube – and experts warn 'anyone could use it to launch attacks'News Neptune RAT can hijack Windows PCs and steal passwords – and it's spreading fast
-
CronRat Magecart malware uses 31st February date to remain undetectedNews The malware allows for server-side payment skimming that bypasses browser security
