Russian Crew Hides Starland Backdoor Inside Fake Zoom and WebEx Installers

UAT-11795 is spiking popular software downloads with a credential-and-crypto stealer, and US users are the main target.

ThreatVectr Newsdesk· 4 min read
Photoreal editorial shot of a laptop screen showing a generic software installer progress bar in a dim home office, warm desk lamp glow, a small out-of-focus Ru
Share

Key points

  • Cisco Talos says a Russian criminal group it tracks as UAT-11795 has been running the campaign since at least June 2025.
  • The hackers hide a new backdoor called Starland inside tampered installers for MobaXterm, WebEx, Zoom, DBeaver and FaceIT.
  • Most victims are in the United States, with further infections in Germany, Romania and Venezuela.
  • Starland hunts for browser logins and more than 40 desktop and browser-extension cryptocurrency wallets.
  • Follow-on malware includes CastleStealer, which grabs Discord, Telegram and Steam sessions, and Remcos, a remote access tool with keylogging and webcam capture.

A Russian criminal group is quietly poisoning downloads of software that millions of office workers use every day.

Researchers at Cisco Talos, the security arm of Cisco, published their findings this week. They are tracking the group as UAT-11795. The goal is money: stolen logins and stolen cryptocurrency.

The crew wraps everyday tools like Zoom, WebEx, MobaXterm, DBeaver and the FaceIT gaming client in tampered installers. Run one, and you get the real app plus a hidden backdoor called Starland.

A backdoor is a hidden program that lets an attacker come and go on your computer without you knowing. Starland is a new one, first spotted in these attacks.

How are people getting tricked into installing it?

Talos believes the group is using a trick called ClickFix, where a fake error message or captcha on a website tells you to paste a command into your computer to "fix" something. Paste it, and you have just installed the malware yourself.

The infection then unfolds in stages. A small script pulls down a booby-trapped installer. Inside sits a file dressed up as a plain LICENSE.txt, which is actually a Python program that plants Starland and edits the Windows Registry so the malware runs every time the computer starts.

Once active, Starland checks whether it is being watched inside a security researcher's test environment. If the coast looks clear, it digs in, tries to grant itself more power on the machine, and starts hunting.

What is it stealing?

Quite a lot. Starland scrapes saved passwords and cookies from browsers. It targets more than 40 desktop and browser-extension cryptocurrency wallets. It notes down the machine's hardware ID, its public internet address, and which antivirus is installed. On business networks it also maps out Active Directory, the system companies use to manage staff logins, so the attackers can see who has admin rights.

Starland can then pull down more malware. Talos saw two follow-ups in real attacks.

The first is CastleStealer, an information stealer that grabs browser credentials, wallet data, and Discord, Telegram and Steam sessions. The second is Remcos, a well-known remote access tool that logs keystrokes, records the webcam and microphone, watches the clipboard, and takes files.

Should ordinary users be worried?

Only if you install software from places you shouldn't. The safest habit is boring but effective: type the vendor's real address into the browser yourself (zoom.us, webex.com, dbeaver.io) and download from there. Ignore "download" ads at the top of search results, and never paste a command copied from a pop-up into PowerShell or the Run box.

Would multi-factor authentication have helped here? Honestly, not much on its own. Starland lifts session cookies straight from the browser, which lets attackers walk past a password and a code from your phone. The real defence is not installing the thing in the first place, and using a password manager that refuses to autofill on the wrong website.

One technical detail worth flagging: if Starland cannot reach its usual control server, it queries a smart contract on the Polygon blockchain to fetch a backup address. That makes the network side harder to take down than a normal domain block. Talos also found an unreported PowerShell tool the crew uses internally, dubbed WLDR, which runs entirely in memory and ties each payload to one specific victim's hardware.

Indicators of compromise are in the Cisco Talos writeup for defenders who want to hunt for this on their networks. First reported by BleepingComputer.

© 2026 Threat Vectr