- A financially motivated group, REF1695, uses fake software installers to deploy cryptocurrency miners and remote access trojans (RATs).
- The campaign deploys a previously undocumented loader called CNB Bot and abuses a legitimate, vulnerable Windows kernel driver to boost mining performance.
- Attackers have generated an estimated $9,392 in Monero (XMR) from these operations, according to tracked wallets.
- The operation also uses CPA fraud on fake registration pages and leverages GitHub as a trusted content delivery network to avoid detection.
A financially motivated operation, codenamed REF1695, has been leveraging fake software installers to deploy remote access trojans and cryptocurrency miners since November 2023, according to an analysis published this week. The attackers trick victims with ISO files that contain explicit instructions to disable Microsoft Defender SmartScreen protections.
Recent attacks deliver a previously undocumented .NET implant called CNB Bot. This loader configures broad antivirus exclusions and communicates with a command-and-control server via HTTP POST requests.
Meanwhile, other campaign iterations deploy known malware like PureRAT and PureMiner. They also use a bespoke .NET-based XMRig loader that fetches its configuration from a hard-coded URL.
Consequently, the attacks abuse “WinRing0x64.sys,” a legitimate but vulnerable Windows kernel driver, to gain kernel-level hardware access. The driver, which was added to XMRig miners in late 2019, modifies CPU settings to boost mining hash rates.
Another campaign variant leads to the deployment of SilentCryptoMiner. This payload disables system sleep modes, establishes persistence, and uses the same vulnerable driver to fine-tune the CPU for mining.
Furthermore, a watchdog process ensures deleted malware and persistence mechanisms are restored. The operation has accrued approximately 27.88 XMR, worth roughly $9,392, across four monitored wallets.
Elastic researchers noted the threat actors also “abuse GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts.” This technique shifts the download step to a trusted platform, reducing detection risk.
Beyond cryptomining, the group monetizes infections through Cost Per Action (CPA) fraud. Victims are directed to content locker pages under the guise of software registration.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
