1) The fact
A Russian state-linked hacking group is distributing tampered versions of WebEx and Zoom installers to infect targets with Starland RAT (Remote Access Trojan). The campaign, identified by security researchers, uses fake download pages that precisely mimic the official websites of both videoconferencing platforms. The trojanized installers, once executed, deploy the legitimate software alongside the malware in the background, making detection difficult for victims who see the expected application running normally. Starland RAT provides complete remote access to the compromised device, including screen capture, keylogging, credential theft, and silent file exfiltration over encrypted channels.
2) Context
This is not the first time Russian actors have used legitimate applications as bait to distribute malware. The tactic of trojanizing installers — an indirect "supply chain watering hole" — has become increasingly common among Russian APT groups such as APT29 (Cozy Bear) and APT28 (Fancy Bear), both linked to Russian intelligence services. WebEx and Zoom were chosen for their widespread corporate adoption, especially after the COVID-19 pandemic when remote work consolidated these tools as standards in government and enterprise organizations worldwide. The choice is strategic: both platforms are used by defense, diplomacy, technology, and financial sectors — precisely the highest-value targets for Russian intelligence gathering.
3) Analysis
This campaign signals a significant tactical evolution in state-sponsored cyber warfare. Instead of exploiting zero-day vulnerabilities — which are expensive, short-lived, and increasingly difficult to obtain — Russian actors are investing heavily in targeted social engineering with tampered installers. This approach has lower cost and potentially higher success rates, as it exploits the weakest link in cybersecurity: the human factor. Victims are more likely to trust a download that looks identical to an official installer for a tool they already use daily. Starland RAT is particularly dangerous for its stealth capabilities: it maintains system persistence for extended periods and exfiltrates data slowly to avoid triggering alerts in EDR (Endpoint Detection and Response) solutions. For organizations that rely on WebEx and Zoom for sensitive communications, the risk extends beyond the malware itself — trust in the communication software supply chain is now called into question.
4) What to watch
- List of compromised organizations that researchers may release in coming weeks - Response from Cisco (WebEx owner) and Zoom Video Communications on download verification measures - Expansion of the campaign to other enterprise tools like Slack, Microsoft Teams, and Google Meet - Security advisories from CISA and NCSC on installer hash verification best practices
Source: BleepingComputer