UAT-11795 is a Russian-speaking, financially motivated threat actor active since at least June 2025. The actor has targeted users primarily in the United States, with additional observed victimization in Europe and Venezuela, and appears focused on credential theft, cryptocurrency wallet theft, and broader post-compromise monetization. The group is associated with a multi-stage malware campaign that relies on trojanized installers for legitimate software and likely ClickFix-style social engineering to induce execution of malicious HTA-based launchers. Its tooling includes Starland RAT, a Python-based backdoor and information stealer; the WLDR agent, a bespoke in-memory PowerShell command-and-control framework; and secondary payloads including CastleStealer and Remcos RAT. This combination indicates a flexible intrusion model that supports both large-scale credential and wallet theft and sustained remote access. Starland RAT is central to the actor’s operations. It establishes persistence, performs anti-analysis and sandbox checks, gathers extensive host profiling data, enumerates browser and cryptocurrency wallet information, captures screenshots, and can execute shell commands, inject shellcode, and retrieve additional payloads. Reported reconnaissance includes system characteristics, security products, privilege context, and Active Directory information such as domain structure and controller details. The malware has also been observed delivering CastleStealer and Remcos RAT through separate shellcode paths. WLDR is a distinct PowerShell-based implant used for encrypted in-memory command and control. It supports host reconnaissance, modular task execution, and victim-specific tasking tied to hardware-derived identifiers. Its communications use strong symmetric encryption and integrity protection derived through PBKDF2-SHA256, and it is designed for stealthy memory-resident execution. Observed loader behavior also included dynamic API resolution and attempts to impair AMSI and ETW visibility. Operationally, UAT-11795 has demonstrated resilient command-and-control design. In addition to conventional web-based infrastructure, the actor has used Telegram bots and channels for execution notifications and victim data handling, and a Polygon smart contract as a fallback mechanism for recovering command-and-control information if primary infrastructure becomes unavailable. This use of decentralized infrastructure suggests deliberate efforts to improve survivability and complicate disruption. Known associated malware and tooling include Starland RAT, WLDR, CastleStealer, and Remcos RAT. No widely established public alias beyond UAT-11795 is currently available.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Geographies tied to known operations.
Attributed origin per open-source reporting.
48 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
4 malware families attributed to this actor across reporting.
8 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Financially motivated campaign targeting users in the U.S. and Europe using trojanized installers, likely ClickFix delivery, Starland RAT, WLDR agent, and additional payloads to steal credentials and cryptocurrency wallet assets while maintaining persistent remote access.
Financially motivated campaign targeting users in the U.S. and Europe using trojanized installers, ClickFix-style social engineering, Starland RAT, WLDR agent, CastleStealer, and Remcos RAT to steal credentials and cryptocurrency wallet assets and maintain persistent remote access.
Financially motivated intrusion activity using trojanized installers for legitimate software to deploy Starland RAT, steal credentials and cryptocurrency, establish persistence, gather system and Active Directory data, and deliver additional payloads including CastleStealer and Remcos.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.