Russian-speaking hackers push crypto stealers through fake app installers

Cisco Talos has exposed a financially motivated, Russian-speaking cybercrime group it tracks as UAT-11795, which has been booby-trapping installers for popular software since at least June 2025 to steal credentials and cryptocurrency. The operation relies on two previously undocumented tools: a Python remote-access trojan Talos calls Starland RAT and a custom PowerShell implant known as the WLDR agent.

Who is affected

Infections are concentrated in the United States, with additional victims observed in Germany, Romania, and Venezuela. The lures span very different audiences, from IT and developer tools to enterprise collaboration apps and a consumer gaming client, which points to an opportunistic, high-volume operation rather than a run at a single industry.

How the attack works

Victims are steered into running a trojanized installer for legitimate software such as MobaXterm, Cisco WebEx, Zoom, the DBeaver database client, or the FACEIT gaming platform. Talos assesses that the initial lure often uses ClickFix, a social-engineering trick that coaxes users into pasting a command which quietly launches a hidden HTML application through mshta.exe. That kicks off a multi-stage chain that decodes and runs Starland RAT directly in memory. The trojan fingerprints the machine, steals browser data and cryptocurrency wallets, and can pull down further payloads, including the CastleStealer .NET stealer, a variant of the Remcos RAT, and the stealthy WLDR PowerShell agent for encrypted command-and-control. To keep control if a server is taken down, the malware can fetch a backup C2 address from a Polygon blockchain smart contract, and the operators run Telegram bots that ping them with each new victim.

What you should do

Download software only from official vendor sites, and treat any web page that tells you to copy and paste a command into a terminal or Run box as a warning sign. This crew is the latest to abuse fake installers; we have tracked similar campaigns pushing remote-access malware through counterfeit software sites.

Indicators of compromise (defanged)

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions