Novel Starland RAT and bespoke WLDR C2 implant deployed in financially motivated campaign

A sophisticated Russian-speaking financially motivated adversary designated UAT-11795 has been conducting malicious operations targeting users in the United States and Europe since June 2025. The campaign delivers a Python-based remote access tool called Starland RAT and a PowerShell-based command-and-control memory implant known as the WLDR agent. The actor distributes trojanized installers disguised as legitimate software including MobaXterm, WebEx, Zoom, DBeaver, and FACEIT through likely ClickFix social engineering techniques. The operation targets victims' credentials and cryptocurrency wallet assets while establishing persistent connections for additional payload delivery. Alternative payloads include CastleStealer and Remcos RAT. The infrastructure utilizes distributed staging and C2 domains, Telegram bots for notifications, and a Polygon smart contract as a fallback mechanism for C2 domain resolution. The WLDR agent features encrypted beaconing, task queuing, and a Runspace execution engine for exe...

credential harvesting
trojanized installers
python rat
powershell implant
starland rat
clickfix
wldr agent
castlestealer
remcos rat
cryptocurrency theft
Read More

The Patch Wars have begun

Microsoft released an unprecedented 622 vulnerability patches in July's Patch Tuesday, with 62 critical severity issues and three zero-days, two actively exploited. This represents more vulnerabilities than all of 2018 combined and marks a dramatic shift from the typical five patches issued in July two years prior. Microsoft attributes this surge to AI frontier model-accelerated vulnerability research. While major vendors like Microsoft possess resources to handle this volume, smaller companies face significant challenges. The concern extends beyond discovery to deployment, as traditional IT patch testing and stability review processes struggle under this unprecedented load. Organizations must differentiate between temporary surges and the new normal operational tempo, as continuous high-volume patching may become standard. This situation places extraordinary pressure on IT administrators and change management teams who must adapt to a sustained flood of KEV and EPSS notifications while maintaining infrast...

castlestealer
starland rat
remcos rat
russian-speaking adversary
wldr agent
uat-11795
trojanized installers
financial motivation
cryptocurrency theft
clickfix
Read More

GoSerpent backdoor attacks in Southeast Asia

Since late 2025, government and diplomatic entities in Southeast Asia have been targeted by sophisticated attacks involving GoSerpent, a Go-based RAT with proxy capabilities. The malware receives encrypted arguments and deploys additional tools for data collection and credential dumping. GoSerpent has been active since 2021, with newer variants using AES-CBC encryption and ChaCha20 for communications. The campaign involves multiple stages: initial deployment of GoSerpent and ThumbcacheService to collect sensitive files, credential dumping via Mimikatz and QuarksDumpLocalHash, followed by deployment of Stowaway RAT in May 2026 and TmcLoader/TmcPayload for stealthy data exfiltration through network shares. The integrated toolset demonstrates sophisticated operational planning, with attackers leveraging Alibaba Cloud and UCLOUD HK infrastructure while exhibiting possible connections to the TetrisPhantom threat actor.

government targeting
southeast asia
goserpent
diplomatic entities
quarksdumplocalhash
stowaway
tmcloader
tmcpayload
proxy capabilities
data exfiltration
credential dumping
mcmx
thumbcacheservice
mimikatz
Read More