Starland RAT is a Python-based Windows remote access trojan used by the financially motivated Russian-speaking threat actor UAT-11795 in a multi-stage malware campaign active since at least June 2025. The operation has primarily affected users in the United States, with additional observed victims in Germany, Romania, and Venezuela. Distribution has relied on trojanized installers masquerading as legitimate software and was likely supported by ClickFix-style social engineering that launched a malicious HTA stager.
The infection chain uses staged components including HTA, batch, PowerShell, Python, JSON, archive, and shellcode payloads. A trojanized NSIS installer deploys a compiled Python loader disguised as a benign text file, which decrypts and loads Starland RAT in memory and establishes persistence. Starland RAT itself performs anti-analysis checks for sandbox and detonation environments, establishes persistence through scheduled tasks and Startup-folder mechanisms, and attempts privilege elevation via User Account Control prompts.
Once active, Starland RAT conducts broad host reconnaissance and theft-oriented collection. It gathers hardware and operating system details, locale, antivirus information, public IP information, and computer identity data, and it enumerates Active Directory structure, domain controllers, and privilege context on domain-joined systems. It also captures screenshots, inventories browser data, and targets cryptocurrency wallets, including numerous desktop and browser-extension wallet applications. The malware supports remote command execution, shellcode execution in both 32-bit and 64-bit contexts, download-and-execute of additional payload types, self-deletion, and process manipulation capabilities.
Observed post-compromise activity shows Starland RAT functioning as a flexible delivery platform for additional malware. In documented intrusions it delivered CastleStealer through a 64-bit shellcode chain and Remcos RAT through a 32-bit shellcode chain. It was also used to launch a PowerShell stager for the WLDR agent, a bespoke in-memory command-and-control framework with encrypted communications and victim-specific tasking.
Starland RAT uses resilient command-and-control tradecraft. Victim registration data is encoded and transmitted over HTTP, and if primary command-and-control is unavailable the malware can recover fallback infrastructure through a Polygon smart contract. The broader campaign also used Telegram-based notifications for execution and victim profiling. Overall, Starland RAT is best characterized as a financially motivated Windows RAT focused on credential and cryptocurrency theft, persistence, reconnaissance, and modular payload delivery.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949 Stage-1-obfuscated-1.ps1 ... 17e41d66ebfd56edc960f58f4285697ceceaa812514bb15092672c747979896e Stage-1.ps1 ... f8da52ff98e66b137b5d31908f0a5d0fa1eb446034337f8bba3d5bba60f586be Stage-2.ps1 ... d52540621dec5ed56cac8532f0e4fe10a7575c3e17e984f59646909fa587dd35 WLDR-agent-payload.ps1
Runs an arbitrary shell string via “cmd /c” or PowerShell and returns the output to the C2 server through HTTP POST request.
47dedb08385449d48d8b6543030310317c92cddafa25e14ee0cb9a32d53ced5c Python_Loader.py
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
the VBScript establishes persistence under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the generic value “MyApp”, pointing back to “mshta.exe” to execute the remotely hosted weaponized HTA file every time the victim logs in to the machine.
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
Receives a 64-bit shellcode URL and executes the shellcode that is staged using the asynchronous procedure call (APC), process injection technique.
the VBScript establishes persistence under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the generic value “MyApp”, pointing back to “mshta.exe” to execute the remotely hosted weaponized HTA file every time the victim logs in to the machine.
451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949 Stage-1-obfuscated-1.ps1 365024336c7681ac0854321ac6c140a245b9593285da02d2a590124cdc592370 Stage-1-obfuscated-2.ps1 a080b5380ccc8fc40b24c02151d305efc32d931dc547881e01a2e6f2b070c7dc Stage-1-obfuscated-3.ps1
6ca7a458985350ac082a9c9820d7f8d39128a4c4bda2f5d32f169a45b7b22bc6 MobaXterm_v26.1.exe ... 6ae334ce60d1a9b7fb96d1d0d0eda5ec7c2c31d3f0cf3e4d7e3056504d50043d WebEx_Client.exe ... 1a01ad25712d306f27f526332fdccf959f2de53207b54e4e80f60faa804d6cb6 FaceitInstaller_x64.exe ... f4491736743a16f1278b8ba01649ee93343764e35ae5e1c0d5e0c0e1d7e32c14 Zoom Installer
Receives a 64-bit shellcode URL and executes the shellcode that is staged using the asynchronous procedure call (APC), process injection technique.
saves it as a PNG in the RAT’s working directory, generates a Base64-encoded string for the PNG file in memory... and deletes the PNG file from the disk.
2c7a99f137efd718f89cf8b260379c99af89ea1939568df09314918f2c5999a3 HTA ... 5b9bf7957a9f8869c87ace1a6d76b48e2623073e72739ad0636b5dfa4bb2e0c3 HTA ... a6821c7e9bfe2e6af0f690d906ec6a26161e2198c256fb60f3b4731c317f3ad9 HTA
Before any malicious logic executes, the RAT conducts check for anti-analysis environments... compares the logged-on username... against a hardcoded list... verifies the victim's computer name against a list of hostnames from recognized sandbox environments, such as Cuckoo, Any.Run, Joe Sandbox, and Hybrid Analysis.
Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges
It performs system reconnaissance, assembling the victim profile that includes the system hardware-bound unique identifier (HWID), total RAM size of the victim machine, and installed antivirus.
If the victim is identified as a member of Active Directory, the RAT executes the following commands to collect information about domain structure, domain controllers, and the victim’s domain privileges: whoami && systeminfo && net user {USERNAME} /dom && nltest /dclist
The RAT also conducts Active Directory reconnaissance via the PowerShell command Get-WmiObject Win32_ComputerSystem.Domain.
Before any malicious logic executes, the RAT conducts check for anti-analysis environments... compares the logged-on username... against a hardcoded list... verifies the victim's computer name against a list of hostnames from recognized sandbox environments, such as Cuckoo, Any.Run, Joe Sandbox, and Hybrid Analysis.
If the primary C2 registration fails, the RAT enables a blockchain-anchored fallback mechanism... targeting the smart contract “0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba”
https://eorthopaedics.com/feed/note ... https://web-devtools.com/starlandfox ... https://sastoro.com/alpha/nrpilqjnut/ ... https://windowscreenrepairnearme.com/command
51 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python-based remote access trojan for Windows that performs anti-analysis checks, establishes persistence, conducts host and Active Directory reconnaissance, steals browser data and cryptocurrency wallet information, sends victim profiling data to Telegram and C2, and can execute shell commands, shellcode, and additional EXE/MSI/DLL/ZIP payloads. It also supports a Polygon smart-contract-based fallback C2 resolution mechanism.
A Python-based remote access tool for Windows that performs anti-analysis checks, establishes persistence, conducts host and Active Directory reconnaissance, steals browser data and cryptocurrency wallet information, sends victim profiling data to C2 and Telegram, and can receive and execute shell commands, shellcode, and additional payloads including EXE, MSI, DLL, and ZIP files.
A newly reported remote access trojan/backdoor delivered via trojanized installers. It establishes persistence, performs sandbox checks, attempts privilege escalation, steals browser and cryptocurrency wallet data, collects system and Active Directory information, captures screenshots, executes shell commands, injects shellcode, and downloads additional payloads.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.