Russian threat actor UAT-11795 is distributing trojanized versions of popular video conferencing apps to deploy Starland, a new backdoor capable of stealing credentials and cryptocurrency.
A financially motivated Russian hacking group is exploiting trust in widely-used collaboration software to distribute malware. The threat actor, tracked as UAT-11795, has compromised legitimate WebEx and Zoom applications, embedding them with Starland RAT—a remote access trojan designed to harvest sensitive data.
The attack vector leverages the ubiquity of video conferencing platforms in enterprise and remote work environments. Users downloading what appear to be standard WebEx or Zoom installers from compromised or spoofed sources instead receive trojaned versions bundled with the Starland backdoor.
Once installed, Starland operates as a credential stealer and cryptocurrency theft tool. The malware can capture login credentials, monitor user activity, and facilitate unauthorized access to infected systems. The backdoor also enables attackers to install additional payloads or maintain persistent access for future exploitation.
UAT-11795 operates with financial motivations, suggesting the campaign targets both individual users and organizations with valuable assets. The choice of WebEx and Zoom reflects these applications' prevalence in business environments, where compromised credentials can grant access to sensitive meetings, documents, and infrastructure.
Security researchers recommend users verify software downloads from official vendor websites or app stores rather than third-party sources. Organizations should implement application whitelisting, monitor for suspicious process behavior, and enforce credential verification protocols. Endpoint detection and response (EDR) solutions can identify Starland's command-and-control communications.
The discovery underscores the importance of securing download sources for widely-distributed software. While WebEx and Zoom themselves remain secure, the attack demonstrates how legitimate applications can serve as distribution vectors when users obtain them from untrusted channels.
Users concerned about potential infection should scan systems with updated antimalware tools and change credentials on any accounts accessed from potentially compromised machines.
Two members of the Scattered Spider cybercrime collective have been sentenced to five years and six months in prison each for a 2024 cyberattack that disrupted Transport for London.
A new ransomware group called Spirals has demonstrated rapid attack capabilities, completing full network encryption within a single day. The threat actor moved from initial access through data theft to encryption faster than most ransomware operations.
The Cybersecurity and Infrastructure Security Agency has issued an emergency directive requiring federal agencies to patch a critical Oracle E-Business Suite vulnerability by Saturday. The flaw is currently being exploited in active attacks.