Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A financially motivated Russian threat actor tracked as UAT-11795 is using trojanized software to steal credentials and cryptocurrency by deploying a new backdoor called Starland RAT.
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
Talos discovered that the threat actor executed a curl command to download and execute additional PowerShell script payloads of the WLDR C2 framework from another C2.
Runs an arbitrary shell string via “cmd /c” or PowerShell and returns the output to the C2 server through HTTP POST request.
The HTA file runs an embedded VBScript that drops a Windows batch file into the user profile’s application temporary folder.
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
the VBScript establishes persistence under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the generic value “MyApp”, pointing back to “mshta.exe” to execute the remotely hosted weaponized HTA file every time the victim logs in to the machine.
Starland checks whether it is running in a sandbox environment, adds scheduled tasks and Startup folder items for persistence
The primary mechanism involves creating a scheduled task using the PowerShell New-ScheduledTask command, with a randomized name following the pattern PythonLauncher-{3 random characters}.
Receives a 64-bit shellcode URL and executes the shellcode that is staged using the asynchronous procedure call (APC), process injection technique.
the VBScript establishes persistence under “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” with the generic value “MyApp”, pointing back to “mshta.exe” to execute the remotely hosted weaponized HTA file every time the victim logs in to the machine.
The PowerShell stager is heavily obfuscated... The compiled Python loader is a relatively large file obfuscated with numerous junk functions... implementing XOR decryption
Receives a 64-bit shellcode URL and executes the shellcode that is staged using the asynchronous procedure call (APC), process injection technique.
saves it as a PNG in the RAT’s working directory, generates a Base64-encoded string for the PNG file in memory... and deletes the PNG file from the disk.
The actual execution logic is confined to six lines in the loader program, implementing XOR decryption using the XOR key 198 (0xC6) to decrypt the encrypted embedded payload of Starland RAT
The threat actor executed a multistage campaign that involves deploying a weaponized HTA downloader via Microsoft HTML Application Host (“mshta.exe”) on the victim's machine.
Before any malicious logic executes, the RAT conducts check for anti-analysis environments... compares the logged-on username... against a hardcoded list... verifies the victim's computer name against a list of hostnames from recognized sandbox environments, such as Cuckoo, Any.Run, Joe Sandbox, and Hybrid Analysis.
Active Directory information, including domain structure, domain controllers, and the victim’s domain privileges
If the victim is identified as a member of Active Directory, the RAT executes the following commands to collect information ... whoami && systeminfo ... For workgroup-only hosts, it executes the whoami /all command.
It performs system reconnaissance, assembling the victim profile that includes the system hardware-bound unique identifier (HWID), total RAM size of the victim machine, and installed antivirus.
If the victim is identified as a member of Active Directory, the RAT executes the following commands to collect information about domain structure, domain controllers, and the victim’s domain privileges: whoami && systeminfo && net user {USERNAME} /dom && nltest /dclist
The RAT also conducts Active Directory reconnaissance via the PowerShell command Get-WmiObject Win32_ComputerSystem.Domain.
Before any malicious logic executes, the RAT conducts check for anti-analysis environments... compares the logged-on username... against a hardcoded list... verifies the victim's computer name against a list of hostnames from recognized sandbox environments, such as Cuckoo, Any.Run, Joe Sandbox, and Hybrid Analysis.
If the primary C2 registration fails, the RAT enables a blockchain-anchored fallback mechanism... targeting the smart contract “0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba”
the malware’s command-and-control (C2) communication has a redundancy mechanism if reaching the hardcoded address fails, which involves querying a Polygon smart contract with an XOR-encrypted fallback domain
The initial connection to the C2 is established through an HTTP POST... All subsequent traffic is sent to C2 over HTTPS, with headers designed to mimic a Chrome browser session.
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Python-based remote access trojan for Windows that performs anti-analysis checks, establishes persistence, conducts host and Active Directory reconnaissance, steals browser data and cryptocurrency wallet information, sends victim profiling data to Telegram and C2, and can execute shell commands, shellcode, and additional EXE/MSI/DLL/ZIP payloads. It also supports a Polygon smart-contract-based fallback C2 resolution mechanism.
A Python-based remote access tool for Windows that performs anti-analysis checks, establishes persistence, conducts host and Active Directory reconnaissance, steals browser data and cryptocurrency wallet information, sends victim profiling data to C2 and Telegram, and can receive and execute shell commands, shellcode, and additional payloads including EXE, MSI, DLL, and ZIP files.
A newly reported remote access trojan/backdoor delivered via trojanized installers. It establishes persistence, performs sandbox checks, attempts privilege escalation, steals browser and cryptocurrency wallet data, collects system and Active Directory information, captures screenshots, executes shell commands, injects shellcode, and downloads additional payloads.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.