A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.

Attacks have been occurring since at least June 2025 and have focused on users in the U.S., although victims in Germany, Romania, and Venezuela have been observed as well.

According to researchers at Cisco Talos, the threat actor distributes the payload via trojanized installers for legitimate software such as MobaXterm, WebEx, Zoom, DBeaver, and FaceIT.

Although the researchers could not confirm the infection vector, they speculate that the malicious files are likely pushed using the ClickFix method.

In an analysis published today, Cisco Talos says that the attack starts with an HTA file that retrieves a trojanized NSIS installer containing a Python loader disguised as a text file (LICENSE.txt).