Skip to content
supplychainattack.orgSupply chain attack incident catalog
activehigh

Russian hackers trojanize WebEx, Zoom apps to push Starland malware

Russian threat actor UAT-11795 is distributing trojanized versions of WebEx and Zoom applications to deploy Starland RAT malware for credential theft and cryptocurrency theft. The campaign targets users of these widely-used communication platforms.

ShareXLinkedInHacker News
Disclosed
Last updated
Blast radius
Unknown; potentially widespread given trojanization of popular communication tools (WebEx, Zoom)
Ecosystems
Attack vectors
Affected entities
  • WebExTrojanized versions distributed by threat actor UAT-11795
  • ZoomTrojanized versions distributed by threat actor UAT-11795

A financially motivated Russian threat actor tracked as UAT-11795 has been observed trojanizing legitimate WebEx and Zoom applications to distribute a new backdoor malware called Starland RAT. The trojanized software is being used to steal credentials and cryptocurrency from victims.

The use of trojanized versions of popular communication tools represents a significant supply chain risk, as users may unknowingly download compromised installers or updates. The Starland RAT backdoor provides attackers with remote access capabilities to infected systems.

The campaign appears to be ongoing, with the threat actor actively distributing these trojanized applications to target users relying on WebEx and Zoom for business and personal communications.

Remediation

  • Verify the integrity of WebEx and Zoom installations by downloading directly from official vendor websites (webex.com, zoom.us) rather than third-party sources
  • Check file hashes against official vendor-provided checksums to ensure authenticity
  • Monitor for signs of Starland RAT infection including unexpected network connections and credential access attempts
  • Implement application whitelisting to prevent unauthorized executables from running
  • Use endpoint detection and response (EDR) tools to identify and isolate infected systems
  • Reset credentials for any accounts accessed from potentially compromised systems
  • Keep WebEx and Zoom applications updated to the latest official versions

Sources

  1. Russian hackers trojanize WebEx, Zoom apps to push Starland malware · BleepingComputer

Cite this entry

"Russian hackers trojanize WebEx, Zoom apps to push Starland malware." supplychainattack.org, Supply Chain Attack Incident Catalog. Disclosed July 16, 2026; last updated July 16, 2026. https://supplychainattack.org/incident/russian-hackers-trojanize-webex-zoom-apps-to-push-starland-malware-p7zss7

Suggest a correction

Found an error or have a newer source? Corrections to factual errors take priority over new entries.

  1. containedhigh

    M-Red-Team: AsyncAPI Supply Chain Compromise via GitHub Actions

    M-Red-Team compromised AsyncAPI npm packages via GitHub Actions, injecting malicious code into the supply chain. The attack leveraged build system access to distribute compromised packages to downstream consumers.

    M Red TeamnpmOtherCompromised packageBuild-system compromise
  2. activehigh

    New ChocoPoC malware targets researchers via trojanized PoC exploits

    Multiple weaponized proof-of-concept (PoC) exploits on GitHub were found delivering ChocoPoC, a Python-based remote access trojan (RAT) capable of executing commands and stealing sensitive data. The campaign is believed to target cybersecurity researchers.

    OtherMalicious commitCompromised package
  3. containedcritical

    Malware in setup-cicd

    The npm package setup-cicd was found to contain malware, potentially giving outside entities full control of affected systems. Any computer with this package installed or running should be considered fully compromised.

    npmOtherCompromised package
  4. activecritical

    Mass npm Supply Chain Attack: 20 Leo Platform Packages Compromised

    On June 24, 2026, an attacker published malicious versions of 20 npm packages belonging to the Leo Platform ecosystem in a coordinated attack. All packages contained an identical CI/CD attack toolkit designed to steal secrets from GitHub Actions runners, cloud credential stores, package registries, and password managers, then exfiltrate them via the victim's GitHub token.

    npmOtherCompromised package