Hackers Pose as Non-Profit Developers to Deploy Monero Mining Malware

Summary

Since late 2023, the REF1695 hacker group has been distributing cryptomining malware disguised as legitimate software from fake non-profits, using social engineering to bypass Windows SmartScreen. The malware toolkit includes CNB Bot, PureRAT, and SilentCryptoMiner, which provide remote access and hijack victim hardware to mine Monero and commit CPA fraud. The operation remains stealthy by detecting 35+ security tools and instantly halting mining processes when detected.

Full text

Security Crypto MalwareHackers Pose as Non-Profit Developers to Deploy Monero Mining Malware REF1695 hackers spread Monero mining malware via fake non-profit installers, using stealth tactics to evade detection and hijack systems for profit. byDeeba AhmedApril 7, 20262 minute read Since at least late 2023, a group of hackers known as REF1695 has been running a quiet but highly profitable cryptomining operation by hiding malware inside fake software installers. According to Elastic Security Labs, which discovered the scam, these hackers aren’t looking for a quick payday, and their system is built to stay on your computer for months, hiding in plain sight while draining your processing power for their gain. The Non-Profit Trap The scam usually starts with a fake download, often an ISO file. To dodge security checks, the hackers include a ReadMe.txt file that uses social engineering. It claims the software is from a small non-profit team of developers that can’t afford official Windows certificates and is providing the software for free. They talk the user through bypassing SmartScreen by clicking More Info and Run Anyway. However, instead of the promised software, a series of loaders installs a malicious toolkit including CNB Bot, PureRAT, and SilentCryptoMiner. These tools give the hackers full remote access to your files, the ability to update their malicious code, and the power to hijack your computer’s hardware for cryptocurrency mining. Source: Elastic Security A Game of Hide and Seek This attack is clever because of how hard it tries to stay invisible, researchers explained in their blog post. while noticing that the malware constantly monitors the victim’s system for 35 different security tools, from the basic Task Manager to professional software like Wireshark. If you open one of these, perhaps because your PC feels sluggish, the malware instantly kills the mining process. Your computer’s performance returns to normal, leaving you with nothing to find. Once you close the tool, the miner quietly restarts. Turning Your PC Into a Cash Cow The hackers monetize your hardware in two main ways. Through cryptojacking, they use a driver called WinRing0x64.sys to get deep access to your processor, allowing them to mine Monero (XMR) much faster. By extracting data from the malware and monitoring public mining dashboards, researchers found four specific wallets that have already collected over 27.88 Monero (roughly $9,400). Secondly, victims are tricked into CPA (Cost Per Action) fraud, where they must complete surveys or sign up for trials to unlock a registration key, earning the hackers a commission for every sign-up. Staying Under the Radar To stay hidden, the group hosts malicious files on trusted platforms like GitHub and uses high-level RSA-2048 encryption to control their bots. This means even if experts find the control panel, they can’t easily shut it down. The best protection against this threat is to avoid unofficial installers and cracked software. If a download asks you to manually disable security features, it’s almost certainly a trap. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts CryptoCybersecurityElasticElastic Security LabsFraudMalwareMoneroREF1695ScamXMR Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Cyber Attacks Interlock Ransomware Group Leaks 43GB of Data in City of St. Paul Cyberattack St. Paul hit by Interlock ransomware attack, 43GB of sensitive data leaked, city refuses ransom, launches Operation Secure… byDeeba Ahmed Read More Security MITM Attacks Can Still Bypass FIDO2 Security, Researchers Warn Is FIDO2 truly unbreachable? Recent research exposes a potential vulnerability where attackers could use MITM techniques to bypass FIDO2 security keys. byDeeba Ahmed Read More Security Malware Hackers Advertising New Info-Stealing Malware on Dark Web Dubbed “Stealc” by researchers, the malware is also being promoted on several Russian language hacker and cybercrime forums on the clear net, in addition to the dark web. byDeeba Ahmed Read More Security New “Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover Don't Be a Sitting Duck to this attack! byDeeba Ahmed

Indicators of Compromise

• malware — CNB Bot
• malware — PureRAT
• malware — SilentCryptoMiner
• malware — WinRing0x64.sys

Entities