Executive Summary
In November 2023, a financially motivated threat actor, codenamed REF1695, initiated a campaign leveraging fake software installers to deploy remote access trojans (RATs) and cryptocurrency miners. The attackers utilized ISO files containing a .NET Reactor-protected loader and instructions guiding users to bypass Microsoft Defender SmartScreen protections. This method facilitated the installation of a previously undocumented .NET implant known as CNB Bot, enabling unauthorized access and resource exploitation on compromised systems. Beyond cryptomining, REF1695 monetized infections through Cost Per Action (CPA) fraud, directing victims to content locker pages under the guise of software registration. This multifaceted approach not only compromised system integrity but also led to financial losses for affected organizations. The incident underscores the evolving tactics of cybercriminals who combine traditional malware deployment with social engineering techniques to maximize their illicit gains. Organizations are urged to enhance their cybersecurity measures, including user education on recognizing phishing attempts and the importance of verifying software sources, to mitigate such threats.
Why This Matters Now
The REF1695 campaign highlights the increasing sophistication of cyber threats that blend malware deployment with social engineering tactics. As attackers continue to refine their methods, organizations must stay vigilant and adopt comprehensive security strategies to protect against such multifaceted attacks.
Attack Path Analysis
The REF1695 operation began by distributing fake software installers containing ISO files to deploy remote access trojans (RATs) and cryptocurrency miners. Upon execution, these installers disabled security features and installed malicious payloads, allowing the attackers to escalate privileges. The RATs facilitated lateral movement within the network, enabling the deployment of additional malware. Established command and control channels allowed the attackers to manage infected systems remotely. The primary objective was to mine cryptocurrency using the compromised resources, leading to significant financial impact due to unauthorized resource utilization.
Kill Chain Progression
Initial Compromise
Description
Attackers distributed fake software installers containing ISO files that, when executed, deployed remote access trojans (RATs) and cryptocurrency miners.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Masquerading
Compute Hijacking
Indicator Removal on Host
Scheduled Task
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 2.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
High risk from fake installer campaigns targeting software developers. RAT deployment threatens intellectual property theft and cryptocurrency mining compromises development infrastructure.
Financial Services
Critical exposure to financially motivated REF1695 operation. Remote access trojans enable credential theft while crypto miners consume resources affecting transaction processing systems.
Information Technology/IT
Primary target for ISO lure attacks exploiting software distribution channels. East-west traffic security and egress controls essential to prevent lateral RAT movement.
Computer Games
Vulnerable to fake game installer distribution via CPA fraud schemes. Crypto mining operations significantly impact gaming performance and user experience quality.
Sources
- Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Minershttps://thehackernews.com/2026/04/researchers-uncover-mining-operation.htmlVerified
- Elastic Security Labs Analysis of REF1695 Campaignhttps://www.elastic.co/security-labs/analysis-of-ref1695-campaignVerified
- FAUX#ELEVATE: Cryptojacking Campaign Abuses Vulnerable Drivershttps://www.sophos.com/en-us/press-releases/2025/12/faux-elevate-cryptojacking-campaign-abuses-vulnerable-driversVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have constrained the initial payload's ability to communicate with external command and control servers, thereby limiting the attacker's control over the compromised system.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have limited the attacker's ability to escalate privileges by enforcing strict access controls between workloads, thereby reducing the scope of accessible resources.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have constrained the attacker's lateral movement by monitoring and controlling internal traffic flows, thereby reducing the spread of the attack.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control may have limited the attacker's ability to establish and maintain command and control channels by providing comprehensive monitoring and control over network traffic across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have constrained data exfiltration attempts by monitoring and controlling outbound traffic, thereby reducing the risk of data loss.
The financial impact of unauthorized cryptomining could have been reduced by limiting the attacker's ability to deploy and manage mining operations through enforced segmentation and controlled egress.
Impact at a Glance
Affected Business Functions
- IT Operations
- Financial Transactions
- Customer Support
Estimated downtime: 3 days
Estimated loss: $10,000
Potential exposure of system configurations and user credentials due to RAT deployment.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the spread of malware within the network.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic, detecting unauthorized communications between workloads.
- • Utilize Egress Security & Policy Enforcement to prevent unauthorized outbound connections, blocking command and control communications.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to unusual activities indicative of cryptomining or other malicious behaviors.
- • Ensure comprehensive Multicloud Visibility & Control to maintain oversight across all cloud environments, enabling prompt detection and mitigation of threats.
