A financially motivated operation tracked as REF1695 has used fake installers to spread remote access trojans and cryptocurrency miners since November 2023, with one campaign estimate putting the haul at 27.88 XMR, or about $9,392, across four wallets, according to a technical analysis from Elastic Security Labs.
KEY FACTS
- Initial lure ISO files carried loaders and text files that told users to click “More info” and “Run anyway.”
- New payload Recent activity delivered a previously undocumented .NET implant called CNB Bot.
- Mining tools Other campaigns used PureRAT, PureMiner and a custom .NET-based XMRig loader.
- Evasion The activity used Defender exclusions, a vulnerable driver and watchdog processes to restore deleted files.
- Infrastructure GitHub was used to host staged binaries across two accounts.
The report said the loader launches PowerShell to configure broad Microsoft Defender Antivirus exclusions and then starts CNB Bot in the background while showing an error message to the user. CNB Bot can download and execute additional payloads, update itself, uninstall itself and perform cleanup, and it communicates with a command-and-control server over HTTP POST requests.
Elastic also said the threat actor has reused similar ISO-based lures to distribute other malware families, including PureRAT and PureMiner. In another campaign, a bespoke .NET XMRig loader retrieved mining configuration from a hard-coded URL before launching the miner.
One miner linked to the activity used the signed Windows kernel driver WinRing0x64.sys to obtain kernel-level access and adjust CPU settings for higher hash rates. A separate campaign deploying SilentCryptoMiner also disabled sleep and hibernate modes, set persistence with a scheduled task and used a watchdog process to restore malicious files and settings if they were removed.
WHY IT MATTERS
The activity shows how threat actors can combine fake installers, trusted platforms and legitimate drivers to hide mining and malware operations. The reuse of recovery mechanisms and persistence tools also suggests the campaigns are designed to survive cleanup attempts and keep generating revenue.