Back to Intelligence

UAT-11795 Starland RAT, Spirals Ransomware, and the Global Lua Loader Threat — OTX Intelligence Briefing

SA
Security Arsenal Team
July 16, 2026
6 min read

Current OTX Pulse data indicates a highly active threat landscape characterized by a convergence of financially motivated cybercrime and targeted espionage. The primary driver is the threat actor UAT-11795, a Russian-speaking group capitalizing on the noise generated by Microsoft's unprecedented Patch Tuesday (622 vulnerabilities) to distribute trojanized installers. This campaign delivers the Starland RAT (Python-based) and the WLDR agent (PowerShell memory implant), alongside the CastleStealer payload targeting cryptocurrency and financial credentials.

Concurrently, a separate global campaign, "The TTF Trap," is leveraging low-detection Lua-based loaders to propagate commodity malware families like Agent Tesla, XWorm, and Snake Keylogger. In Southeast Asia, government entities are facing pressure from the GoSerpent backdoor (TetrisPhantom) and the newly identified Spirals ransomware, which utilizes Rust-based encryption and enters via compromised IIS servers. Collectively, these pulses demonstrate a heavy emphasis on initial access via social engineering (ClickFix, trojanized installers) and immediate credential harvesting for follow-on extortion or fraud.

Threat Actor / Malware Profile

  • UAT-11795 (The Patch Wars Adversary)

    • Origin: Russian-speaking financially motivated actor.
    • Distribution: Trojanized software installers and "ClickFix"-style browser popups prompting fake patches.
    • Payloads:
      • Starland RAT: A Python-based Remote Access Tool allowing full control of the victim host.
      • WLDR Agent: A PowerShell-based command-and-control implant that resides entirely in memory to evade disk-based scanning.
      • CastleStealer: Specialized in stealing cryptocurrency wallets and browser credentials.
    • Persistence: Scheduled tasks and registry run keys established via the initial PowerShell delivery vector.
  • Spirals Ransomware

    • Type: Rust-based ransomware targeting IT services in South Asia.
    • Entry: Compromised internet-facing IIS web servers via ASP.NET web shells.
    • Capabilities: Defense evasion, lateral movement, privilege escalation, and double extortion.
    • C2/Tunnels: Utilizes revsocks, Chisel, and Cloudflare Tunnels to obfuscate traffic.
  • The TTF Trap (Lua Loader Campaign)

    • Malware: Agent Tesla, Remcos, XWorm, Best Private LOGGER, Snake Keylogger.
    • Technique: Phishing archives containing obfuscated JavaScript, which deploys AutoIt or LuaJIT-based loaders using Donut shellcode to execute fileless payloads.

IOC Analysis

The provided indicators of compromise (IOCs) reveal a multi-faceted infrastructure:

  • File Hashes: A significant volume of MD5, SHA1, and SHA256 hashes corresponding to trojanized installers and malware loaders (e.g., 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507). These should be integrated into EDR solutions for immediate blocklisting.
  • Network Infrastructure: Specific C2 domains such as windowscreenrepairnearme.com and zynaris.io associated with UAT-11795, alongside IP addresses like 193.149.176.254 and 74.114.119.201.
  • Operationalization: SOC teams should feed the domains and IPs into firewall blocklists and DNS sinkholing services. The file hashes require immediate scanning of endpoint environments using EDR historical search capabilities to identify execution attempts within the last 30 days.

Detection Engineering

The following detection logic targets the specific behaviors observed in the Starland RAT, WLDR agent, and Lua loader campaigns.

YAML
title: Potential WLDR Agent PowerShell Memory Execution
id: d41d8cd9-8f00-b204-e980-0998ecf8427e
description: Detects suspicious PowerShell execution patterns often associated with WLDR agent and memory-based implants observed in UAT-11795 campaigns.
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6223423423
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4688
        NewProcessName|endswith: '\powershell.exe'
        CommandLine|contains:
            - ' -enc '
            - ' -encodedcommand '
            - 'DownloadString'
            - 'IEX'
    filter_legit:
        SubjectUserName:
            - 'SYSTEM'
            - 'NETWORK SERVICE'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate administrative scripts
level: high

---

title: Starland RAT Python Network Activity
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
description: Identifies Python processes establishing network connections, a behavior consistent with the Starland RAT malware used by UAT-11795.
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6223423424
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection:
        Image|endswith:
            - '\python.exe'
            - '\pythonw.exe'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate Python development or scripting
level: medium

---

title: Suspicious Lua Loader Execution
id: e5f6g7h8-9012-34cd-ef56-789012345678
description: Detects the execution of LuaJIT or Lua scripts coupled with shellcode injection patterns associated with the "TTF Trap" global campaign.
status: experimental
date: 2026/07/17
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6223423425
tags:
    - attack.defense_evasion
    - attack.t1055.001
logsource:
    category: process_creation
detection:
    selection_img:
        Image|endswith:
            - '\luajit.exe'
            - '\lua.exe'
            - '\wscript.exe'
    selection_cli:
        CommandLine|contains:
            - 'donut'
            - 'shellcode'
            - '.lua'
    condition: all of selection_*
falsepositives:
    - Rare; legitimate software usually does not inject shellcode via Lua
level: critical


kql
// Hunt for connections to known UAT-11795 C2 infrastructure and generic Python RAT traffic
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where (RemoteUrl has_any (
    "windowscreenrepairnearme.com", 
    "zynaris.io", 
    "taikei-rmc-co.biz", 
    "allportcargoservice.com"
) or 
    RemoteIP in ("193.149.176.254", "74.114.119.201", "185.141.216.194"))
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

// Hunt for suspicious PowerShell execution patterns (WLDR Agent)
DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName =~ "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-encodedcommand", "DownloadString", "IEX") 
| where InitiatingProcessFileName !in ("explorer.exe", "services.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName


powershell
# IOC Hunt Script: Check for UAT-11795 and Spirals Ransomware Network Artifacts
# Requires Administrative Privileges

$C2_IPs = @(
    "193.149.176.254",
    "74.114.119.201",
    "185.141.216.194"
)

$C2_Domains = @(
    "windowscreenrepairnearme.com",
    "zynaris.io",
    "newremupdate.duckdns.org"
)

function Check-NetworkConnections {
    Write-Host "Checking active network connections for C2 indicators..." -ForegroundColor Cyan
    $activeConnections = Get-NetTCPConnection -State Established -ErrorAction SilentlyContinue
    
    foreach ($ip in $C2_IPs) {
        $match = $activeConnections | Where-Object { $_.RemoteAddress -eq $ip }
        if ($match) {
            Write-Host "[ALERT] Active connection found to C2 IP: $ip (PID: $($match.OwningProcess))" -ForegroundColor Red
            $process = Get-Process -Id $match.OwningProcess -ErrorAction SilentlyContinue
            Write-Host "  Process Details: $($process.ProcessName) - $($process.Path)" -ForegroundColor Yellow
        }
    }
}

function Check-DnsCache {
    Write-Host "Checking DNS cache for malicious domains..." -ForegroundColor Cyan
    $dnsCache = Get-DnsClientCache -ErrorAction SilentlyContinue
    
    foreach ($domain in $C2_Domains) {
        $match = $dnsCache | Where-Object { $_.Entry -like "*$domain*" }
        if ($match) {
            Write-Host "[ALERT] DNS cache entry found for domain: $domain" -ForegroundColor Red
        }
    }
}

function Check-HostsFile {
    Write-Host "Checking HOSTS file for malicious domain redirects..." -ForegroundColor Cyan
    $hostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
    if (Test-Path $hostsPath) {
        $hostsContent = Get-Content $hostsPath
        foreach ($domain in $C2_Domains) {
            if ($hostsContent -match $domain) {
                Write-Host "[ALERT] Entry found in HOSTS file for: $domain" -ForegroundColor Red
            }
        }
    }
}

Check-NetworkConnections
Check-DnsCache
Check-HostsFile

Response Priorities

  • Immediate (0-4 hours):

    • Block all listed IOCs (IPs, Domains, Hashes) at the perimeter and endpoint level.
    • Initiate a hunt for PowerShell processes running encoded commands (WLDR agent) and Python processes with active sockets (Starland RAT).
    • Isolate any endpoints matching the file hash indicators.
  • 24 Hours:

    • Conduct credential auditing and forced password resets for accounts with access to sensitive systems, particularly in regions targeted by UAT-11795 (US, Germany) and TetrisPhantom (SE Asia).
    • Scan internet-facing IIS servers for ASP.NET web shells (Spirals ransomware entry vector).
  • 1 Week:

    • Patch management acceleration to address the "Patch Wars" vulnerabilities exploited by UAT-11795.
    • Review and restrict PowerShell execution policies and scripting languages (Python/Lua) on non-admin workstations.
    • Implement application control to block unsigned trojanized installers.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsstarland-ratuat-11795spirals-ransomwarelua-loaderinfostealer

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.