Ravie LakshmananJul 16, 2026Hacking News / Cybersecurity News

A lot of this week’s trouble starts with something that looks close enough.

A familiar repo. A useful installer. A harmless sync setting. Then the handoff goes bad, the box starts talking to someone else, and the damage moves faster than the explanation.

Old bugs are back, weak defaults are earning their keep, and some attack paths are so plain they barely feel like research. Here’s the mess.

  1. Fake installers deploy RATs

    UAT-11795, a sophisticated, Russian-speaking, financially motivated adversary, has been observed conducting a malicious campaign targeting users in the U.S. and Europe since at least June 2025. The activity delivers a Python-based remote access tool (RAT) dubbed Starland RAT and a command-and-control (C2) memory implant known as WLDR agent using trojanized installer lures for software like developer tooling, IT administration utilities, enterprise collaboration platforms, and consumer gaming applications (e.g., MobaXterm, WebEx, Zoom, DBeaver, and FaceIT). “The WLDR agent is a sophisticated PowerShell-based C2 memory implant that features encrypted beaconing, task queuing, and a Runspace execution engine for executing additional payloads,” Cisco Talos said. Alternatively, UAT-11795 has been linked to the deployment of CastleStealer and Remcos RAT. The malware is designed to target victims’ credentials and cryptocurrency wallet assets, harvest Active Directory information, and establish a persistent connection to the victims’ machines from the C2 server, likely with an aim to deliver and execute further payloads. The majority of the infections are in the U.S., with fewer potential impacts recorded in Germany, Romania, and Venezuela. The attack chain makes use of ClickFix lures to distribute HTA scripts, which then download and run trojanized installers to deliver Starland RAT, which then uses “curl.exe” to execute a PowerShell stager for decrypting and running WLDR agent. In recent weeks, ClickFix has also served as a conduit for TELEPUZ, a modular malware, and ClickLock Stealer, a macOS-focused information and cryptocurrency wallet stealer targeting users in Europe, North America, and MEA. “ClickLock Stealer targets data from 8 browsers, 31 crypto wallet browser extensions, 7 password manager extensions, 8 desktop wallet applications, extracts blockchain addresses across 6 chains, macOS Keychain, shell history, and FTP credentials,” Group-IB said.

The lesson is not “trust nothing.” It is to stop granting trust in bulk. Check the repo, the installer, the account, the exposed service. Small shortcuts keep turning into full attack paths.

And when a bug looks old, awkward, or too simple to matter, assume someone has already found a use for it. Patch the boring stuff. Tighten the defaults. Watch the handoffs.



Source link