WLDR is a bespoke PowerShell-based in-memory command-and-control implant associated with the financially motivated, Russian-speaking threat actor UAT-11795. It has been observed in campaigns targeting users primarily in the United States, with additional victims in Europe and elsewhere, and is used alongside Starland RAT and, in some intrusions, follow-on payloads such as CastleStealer and Remcos RAT.
WLDR operates as a memory-resident agent delivered through a staged PowerShell infection chain. Reported delivery involves trojanized installers masquerading as legitimate software and social-engineering-driven execution chains that culminate in PowerShell staging and retrieval of victim-specific payloads. The implant is designed for remote access and post-compromise control, with encrypted command-and-control communications and support for concurrent task execution. Communications reportedly use AES-256-CBC with HMAC-SHA256, with session keys derived via PBKDF2-SHA256, and the implant can stream command output in real time.
The malware is notable for running entirely in memory, reducing on-disk artifacts and complicating detection. It is tied to intrusion chains that use custom loaders to weaken host defenses by disabling AMSI and ETW in memory before payload execution. The broader campaign emphasizes stealth and persistence, combining in-memory execution, encrypted communications, and host-specific tasking. WLDR has been used in operations focused on credential theft and theft of cryptocurrency wallet data, while also providing persistent remote access for continued post-exploitation activity.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The campaign deploys the Starland RAT and the WLDR PowerShell-based memory implant to steal credentials and cryptocurrency wallet data, while maintaining persistent access through encrypted C2 communications and in-memory payload execution.
17 distinct techniques documented for this family, organized by ATT&CK tactic.
This arrives in three stages: a heavily obfuscated PowerShell stager, a downloader that fetches victim-specific payloads bound to the machine’s hardware ID, and the WLDR agent itself
The campaign deploys the Starland RAT and the WLDR PowerShell-based memory implant
47dedb08385449d48d8b6543030310317c92cddafa25e14ee0cb9a32d53ced5c Python_Loader.py
451ac8ca34d5bcdfe476465f69eb517b2608f267c7e8d69f8ef36197a6f1d949 Stage-1-obfuscated-1.ps1 365024336c7681ac0854321ac6c140a245b9593285da02d2a590124cdc592370 Stage-1-obfuscated-2.ps1 a080b5380ccc8fc40b24c02151d305efc32d931dc547881e01a2e6f2b070c7dc Stage-1-obfuscated-3.ps1
6ca7a458985350ac082a9c9820d7f8d39128a4c4bda2f5d32f169a45b7b22bc6 MobaXterm_v26.1.exe ... 6ae334ce60d1a9b7fb96d1d0d0eda5ec7c2c31d3f0cf3e4d7e3056504d50043d WebEx_Client.exe ... 1a01ad25712d306f27f526332fdccf959f2de53207b54e4e80f60faa804d6cb6 FaceitInstaller_x64.exe ... f4491736743a16f1278b8ba01649ee93343764e35ae5e1c0d5e0c0e1d7e32c14 Zoom Installer
while maintaining persistent access through encrypted C2 communications and in-memory payload execution
53 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A newly documented PowerShell in-memory command-and-control implant/framework deployed by Starland RAT. It supports encrypted C2, concurrent task execution via runspaces, module delivery, and interactive remote PowerShell execution, with victim-specific payloading tied to hardware ID.
A bespoke PowerShell-based in-memory C2 implant used for credential theft, cryptocurrency wallet data theft, persistent access, and encrypted command-and-control communications.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.