Starland RAT Trojanizes Zoom and WebEx, Then Hides Its Backup C2 on a Polygon Smart Contract. We Didn't Have This One — and That's the Honest Half of Yesterday's Win.
- Patrick Duggan
- 2 hours ago
- 5 min read
Cisco Talos published a campaign today worth two things: a clear look at where command-and-control infrastructure is heading, and an honest test of our own feed that we failed. Both are worth your time, and we are going to give you both, because the second one is the reason to trust the first.
First, a correction, because getting the category right is the job. This is not ransomware and it is not an extortion crew, whatever the shorthand says. Talos tracks the actor as UAT-11795 — a financially motivated, Russian-speaking operator — and the tool is Starland RAT, a credential and cryptocurrency stealer. No leak site, no ransom note. It steals your wallets and your logins and gets out. Calling it ransomware would be the same mistake as calling a moderate-severity privilege bug harmless: the label decides your response, so the label has to be right.
The Chain, and the Bait
The lure is trojanized installers for software people actually install: MobaXterm, Cisco WebEx, Zoom, DBeaver, and the FACEIT gaming client. A victim is social-engineered through a ClickFix prompt into running a weaponized HTA file, which drops a batch script, sets a registry Run key for persistence, and launches a real, working copy of the expected software — with a trojanized NSIS installer riding along. Underneath, a Python loader XOR-decrypts and runs Starland RAT, which registers to its C2, fingerprints the machine, enumerates forty-plus cryptocurrency wallets, and pulls down two more payloads: CastleStealer, a .NET infostealer that empties browsers and wallet extensions, and Remcos, a commercial RAT for hands-on-keyboard control. A second implant the researchers call WLDR runs entirely in PowerShell memory with encrypted, HWID-bound C2. It is a complete, layered stealer operation, and the installer looked legitimate the whole way down.
That last part is the through-line to everything we have written this week about signed and trusted things being turned into delivery vehicles. The installer runs the real software so the victim never suspects. The signature on the wrapper, the working app that launches — all of it is there to make the trust check pass.
The Part That Matters: Command-and-Control on a Blockchain
Here is the detail that makes this campaign a marker for where this is going. Starland RAT has a fallback for when its primary C2 gets taken down, and the fallback is not another server. It is a smart contract on the Polygon blockchain.
The malware makes a read call to a specific contract — address 0x6ae382ed2154cc84c6672e4e908cd2c69c1b35ba — through a public Polygon RPC endpoint. The contract returns an encrypted hexadecimal string; the malware XOR-decrypts it and gets a fresh C2 domain to reconnect to. There is no server to seize for that lookup, because the address it reads from is a contract on a public blockchain that thousands of nodes replicate. You cannot send a takedown notice to a smart contract any more than you can send one to an IPFS hash.
We wrote this morning about attackers moving payload hosting to IPFS because it reads as un-seizable. This is the same instinct applied to the control channel instead of the payload: anchor the part you most need to survive a takedown on decentralized infrastructure that has no abuse desk. Decentralized C2 resilience is becoming a pattern, and it is worth naming now, while it is still early, rather than after it is everywhere.
The same lesson applies as with IPFS, though, and defenders should hold onto it: un-seizable is not the same as invisible. A workstation making a JSON-RPC eth_call to polygon-rpc dot com is not normal office behavior. The blockchain lookup that gives the malware its resilience is also a bright, specific detection signal — malware announcing, in a protocol nobody's HR department uses, that it is malware. The move that makes the C2 durable is the move that makes the host easy to spot.
Now the Honest Half
Here is the test we failed, and we are telling you because a feed you only hear about when it wins is a feed you cannot trust when it matters.
We took every network indicator Talos published for this campaign — all six C2 and staging domains, plus the Polygon contract address — and ran them against our own indicator feed. We had none of them. Not eorthopaedics dot com, not sastoro dot com, not web-devtools dot com, not zynaris dot io, not windowscreenrepairnearme dot com, not aipythondevs dot com. Zero. If you had been running our edge feed the day before Talos published, it would not have blocked a single piece of this campaign's infrastructure.
Yesterday we published the opposite story, and putting them side by side is the only honest way to show what our feed can and cannot do. Yesterday, Arctic Wolf named a brand-impersonation campaign whose exfil server we had already flagged in May — eight weeks early — because that actor was cheap and reused a burned Russian box that three feeds had already condemned. Infrastructure-first defense works beautifully against the operator who reuses. It caught that one before it had a name.
Starland is the other kind of operator. Look at two of its C2 domains — eorthopaedics dot com and windowscreenrepairnearme dot com — and note what Talos notes: they are likely hijacked legitimate domains. Real businesses' websites, taken over to serve malware. Those domains have clean histories precisely because they were clean until the day they were not, so there is nothing for a reputation feed to have flagged in advance. Add a fallback C2 that lives on a blockchain instead of at an IP, and you have an operator who has specifically engineered around the kind of defense that beat yesterday's actor. Fresh infrastructure, hijacked reputation, on-chain resilience. Our feed had nothing, and it had nothing for reasons that are structural, not an oversight.
What Actually Catches This One
If the infrastructure was invisible to us in advance, what stops it? Behavior, not addresses. The trojanized-installer provenance — a real app arriving through a channel it should never arrive through. The ClickFix-to-HTA pattern. A Python loader parked in the Startup folder. And, cleanest of all, that eth_call to a public Polygon endpoint from a machine that has no business talking to a blockchain. Talos shipped ClamAV signatures and Snort rules for the file and network artifacts, and those are the right layer for this campaign, because the network reputation layer — our layer — had nothing to say.
That is the honest shape of a threat feed. It is a razor that is sharp against actors who reuse and cut-rate about their infrastructure, and it is close to useless against actors who burn fresh domains, hijack clean ones, and anchor their fallback on a blockchain. We will keep publishing both outcomes — the eight-week head start and the clean miss — on the same masthead, because the day we only tell you about the head starts is the day the number stops meaning anything. We had this one at zero. Now you know that too.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
