Threat Intelligence

New Russian-speaking threat actor UAT-11795 targets US and Europe with novel malware

Red Skull Icon Formed From Binary Code on Computer Screen

Coverage from IT Pro indicates a new Russian-speaking threat actor, tracked as UAT-11795, is aggressively targeting victims across the United States and Europe. This group has been active since June of last year, employing trojanized installers for legitimate software to steal credentials and cryptocurrency, according to Cisco Talos.

UAT-11795 utilizes novel tools, including the Python-based Starland RAT and the PowerShell-based WLDR agent, which operates entirely in-memory with encrypted beaconing and a Runspace execution engine. Both tools are designed to exfiltrate credentials, browser data, and cryptocurrency wallet assets, while establishing persistent access. Cisco Talos reported that the group even hides a fallback command-and-control channel within a Polygon smart contract. Infections have been primarily observed in the US, but also in Germany, Romania, and Venezuela.

The group gains initial access through social engineering tactics, tricking users into executing a command that downloads a weaponized HTA file, leading to the installation of trojanized software. Cybersecurity experts note this campaign highlights a shift in attack vectors, exploiting user trust in legitimate software and social engineering over traditional software vulnerabilities. Users are advised to exercise caution, verify software sources, and monitor for unexpected processes.

Source: IT Pro

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds