{"id":473,"date":"2026-04-02T12:34:34","date_gmt":"2026-04-02T12:34:34","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=473"},"modified":"2026-04-02T12:34:34","modified_gmt":"2026-04-02T12:34:34","slug":"researchers-uncover-mining-operation-using-iso-lures-to-spread-rats-and-crypto-miners","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=473","title":{"rendered":"Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">Apr 02, 2026<\/span><\/span><span class=\"p-tags\">Cryptomining \/ Malware<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpKoZinOy6MS9s0nTi1TV12H46KUmgkxu0kGinPE7yyq7Vpo9lmmcz30e5ve0yCk2T0ETCedeV6aXs0iEjI1rOykcXwBPa2a11yb75bjgjad7WKkKgsUAv0lO1tuZ8vVnYZtuiUHKqwM6Z6bxGtheJIhuWW5W6lKjo0FaHZf7ewPO_SFuKAjPKMh_sqDB2\/s1700-e365\/monero.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A\u00a0financially motivated operation\u00a0codenamed <strong>REF1695<\/strong>\u00a0has been\u00a0observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November\u00a02023.<\/p>\n<p>\u00abBeyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration,\u00bb Elastic Security Labs researchers Jia Yu Chan, Cyril Fran\u00e7ois, and Remco\u00a0Sprooten <a href=\"https:\/\/www.elastic.co\/security-labs\/fake-installers-to-monero\">said<\/a> in an analysis published this\u00a0week.<\/p>\n<p>Recent\u00a0iterations of the campaign have\u00a0also been\u00a0found to deliver a previously undocumented .NET\u00a0implant codenamed CNB\u00a0Bot. These\u00a0attacks leverage an ISO file as the infection vector to\u00a0deliver a\u00a0.NET\u00a0Reactor-protected loader and a text\u00a0file with explicit instructions to the user to bypass Microsoft Defender SmartScreen protections against running unrecognized applications by clicking on \u00abMore info\u00bb and \u00abRun\u00a0anyway.\u00bb<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/vpn-risk-report-inside-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgWajeG0cdaapf1GKTZRUZUB7BzuYGegyw5k0eAorJXlmkFdYCCeLXXhXYJuXU9lWD33rV6rRnIyly3czoNfYifpxk1eGA5slItPmim3HkubXoQMgC4J7hdQPywxGbWq7Eqeff_o6s2Fq-WmSFd5guwdLn7IqpveMqULqtVnd-ndnljWYGj45EkMFB7m0qm\/s728-e100\/z-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The\u00a0loader is\u00a0designed to invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions\u00a0to fly under the\u00a0radar and launch CNB Bot in the background. At\u00a0the same time, the\u00a0user is\u00a0displayed an error message: \u00abUnable to launch the application. Your\u00a0system may not meet the required specifications. Please\u00a0contact\u00a0support.\u00bb<\/p>\n<p>CNB\u00a0Bot functions as a loader with capabilities to download and execute additional payloads, update itself, and uninstall and perform cleanup actions to cover up the tracks. It\u00a0communicates with a command-and-control (C2) server using HTTP POST\u00a0requests.<\/p>\n<p>Other\u00a0campaigns mounted by the threat actor have leveraged similar ISO lures to\u00a0deploy PureRAT, PureMiner, and a bespoke .NET-based XMRig\u00a0loader, the last of\u00a0which reaches out to a hard-coded URL to extract the mining configuration and launch the miner\u00a0payload.<\/p>\n<p>As\u00a0recently observed in\u00a0the FAUX#ELEVATE campaign, \u00abWinRing0x64.sys,\u00bb a legitimate, signed, and vulnerable Windows kernel driver,\u00a0is abused\u00a0to obtain kernel-level hardware access and modify CPU settings\u00a0to boost hash rates, thereby enabling performance improvement.\u00a0The <a href=\"https:\/\/www.sophos.com\/en-us\/blog\/mrbminer-cryptojacking-to-bypass-international-sanctions\">use of the\u00a0driver<\/a>\u00a0has\u00a0been <a href=\"https:\/\/www.morphisec.com\/blog\/proxyshellminer-campaign\/\">observed<\/a> in\u00a0many <a href=\"https:\/\/www.trellix.com\/blogs\/research\/technical-deep-dive-the-monero-mining-campaign\/\">cryptojacking\u00a0campaigns<\/a> over the\u00a0years. The\u00a0functionality\u00a0was <a href=\"https:\/\/github.com\/xmrig\/xmrig\/blob\/master\/bin\/WinRing0\/WinRing0x64.sys\">added to XMRig\u00a0miners<\/a> in December\u00a02019.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/fast-response-not-fast-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjgi9mu68zRUz1nCLLKmkAA2aBtNfP_JOTXulZoB6yImso1Onk7oM_LI0kdROu8fq5S5oDyMtd1j50W44Ye_8Sl3zQZiE8A9tmFr6kejGKjGh74uoxluF-RyBq_unDQlzjXZHCqQeuYXBoogda5zf0w-zXd6v0rIM7fEw6TcFf_QGWBu5Mop-djkEaOUa5A\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Elastic said it also identified another campaign that leads to the deployment\u00a0of SilentCryptoMiner. The\u00a0miner, besides using direct system calls to evade detection, takes steps\u00a0to disable Windows Sleep and Hibernate modes, set up persistence via a scheduled task, and uses the \u00abWinring0.sys\u00bb driver to fine-tune the CPU for mining operations.<\/p>\n<p>Another notable component of the attack is a watchdog process that ensures the malicious artifacts and persistence mechanisms are\u00a0restored in the event\u00a0they are\u00a0deleted. The\u00a0campaign is estimated to have accrued 27.88\u00a0XMR ($9,392) across four tracked wallets, indicating that the operation is yielding consistent financial returns to the\u00a0attacker.<\/p>\n<p>\u00abBeyond the C2 infrastructure, the threat actor abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts,\u00bb Elastic said. \u00abThis technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802Apr 02, 2026Cryptomining \/ Malware A\u00a0financially motivated operation\u00a0codenamed REF1695\u00a0has been\u00a0observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November\u00a02023. \u00abBeyond cryptomining, the threat actor&hellip;<\/p>\n","protected":false},"author":1,"featured_media":474,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[143,1036,1022,1038,1035,287,1037,605,262,1034],"class_list":["post-473","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-crypto","tag-iso","tag-lures","tag-miners","tag-mining","tag-operation","tag-rats","tag-researchers","tag-spread","tag-uncover"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/473","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=473"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/473\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/474"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=473"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=473"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=473"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}