Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Summary

Researchers at Elastic Security Labs have documented REF1695, a financially motivated threat group that has been operating since November 2023, distributing remote access trojans (RATs) and cryptocurrency miners through fake ISO installers. The campaign leverages social engineering to bypass Microsoft Defender SmartScreen, deploys the previously undocumented CNB Bot implant, and abuses legitimate Windows kernel drivers (WinRing0x64.sys, Winring0.sys) to optimize CPU settings for mining. The operation has generated approximately 27.88 XMR ($9,392) across tracked wallets and abuses GitHub as a payload delivery CDN to reduce detection friction.

Full text

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners Ravie LakshmananApr 02, 2026Cryptomining / Malware A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten said in an analysis published this week. Recent iterations of the campaign have also been found to deliver a previously undocumented .NET implant codenamed CNB Bot. These attacks leverage an ISO file as the infection vector to deliver a .NET Reactor-protected loader and a text file with explicit instructions to the user to bypass Microsoft Defender SmartScreen protections against running unrecognized applications by clicking on "More info" and "Run anyway." The loader is designed to invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions to fly under the radar and launch CNB Bot in the background. At the same time, the user is displayed an error message: "Unable to launch the application. Your system may not meet the required specifications. Please contact support." CNB Bot functions as a loader with capabilities to download and execute additional payloads, update itself, and uninstall and perform cleanup actions to cover up the tracks. It communicates with a command-and-control (C2) server using HTTP POST requests. Other campaigns mounted by the threat actor have leveraged similar ISO lures to deploy PureRAT, PureMiner, and a bespoke .NET-based XMRig loader, the last of which reaches out to a hard-coded URL to extract the mining configuration and launch the miner payload. As recently observed in the FAUX#ELEVATE campaign, "WinRing0x64.sys," a legitimate, signed, and vulnerable Windows kernel driver, is abused to obtain kernel-level hardware access and modify CPU settings to boost hash rates, thereby enabling performance improvement. The use of the driver has been observed in many cryptojacking campaigns over the years. The functionality was added to XMRig miners in December 2019. Elastic said it also identified another campaign that leads to the deployment of SilentCryptoMiner. The miner, besides using direct system calls to evade detection, takes steps to disable Windows Sleep and Hibernate modes, set up persistence via a scheduled task, and uses the "Winring0.sys" driver to fine-tune the CPU for mining operations. Another notable component of the attack is a watchdog process that ensures the malicious artifacts and persistence mechanisms are restored in the event they are deleted. The campaign is estimated to have accrued 27.88 XMR ($9,392) across four tracked wallets, indicating that the operation is yielding consistent financial returns to the attacker. "Beyond the C2 infrastructure, the threat actor abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts," Elastic said. "This technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cryptomining, cybersecurity, GitHub, Malware, Microsoft Defender, powershell, Remote Access Trojan Trending News Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More Popular Resources Detect AI-Driven Threats Faster With Full Network Visibility [Demo] Discover SaaS Risks and Monitor Every App in Your Environment [Guide] Learn How to Govern AI Agents With Proven Market Guidance SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats

Indicators of Compromise

• malware — CNB Bot
• malware — PureRAT
• malware — PureMiner
• malware — SilentCryptoMiner
• malware — XMRig loader

Entities