Researchers Uncover Sophisticated Mining Operation Exploiting ISO Lures to Spread RATs and Crypto Miners
April 2, 2026 — In a detailed analysis published this week, cybersecurity researchers from Elastic Security Labs have uncovered a financially motivated cybercrime campaign, codenamed REF1695, actively using deceptive ISO file installers to deploy remote access trojans (RATs) and cryptocurrency miners. This operation, observed since November 2023, employs advanced evasion techniques and multiple layers of infection to remain under the radar while generating consistent illicit profits.
How the Operation Works
The attack begins by targeting users with fake software installers packaged within ISO files. These files contain a .NET Reactor-protected loader alongside a text document with explicit instructions urging victims to override Microsoft Defender SmartScreen warnings by selecting "More info" and "Run anyway." This social engineering tactic tricks users into running malicious software despite security alerts.
Once executed, the loader leverages PowerShell scripts to manipulate Microsoft Defender Antivirus settings, creating broad exclusions that allow the malware to function without raising alarms. Victims are simultaneously shown a misleading error message: "Unable to launch the application. Your system may not meet the required specifications. Please contact support," to conceal ongoing malicious activities.
The CNB Bot and Additional Payloads
At the core of this campaign is a previously undocumented .NET implant known as CNB Bot. Serving as a loader, CNB Bot can download and execute further payloads, update itself, and uninstall or clean up traces to evade detection. It communicates with its command-and-control (C2) servers via HTTP POST requests.
Aside from CNB Bot, the threat actor deploys other malicious tools through similar ISO lures, including PureRAT, PureMiner, and a custom .NET-based loader for XMRig cryptocurrency mining software. The XMRig loader accesses a hard-coded URL to retrieve mining configurations, subsequently initiating mining operations on the compromised machine.
Use of Vulnerable Signed Drivers for Enhanced Mining
Elastic researchers also identified the abuse of a legitimate, signed Windows kernel driver, "WinRing0x64.sys," in these campaigns. This vulnerable driver is exploited to gain kernel-level hardware access, enabling the attacker to adjust CPU settings and boost cryptomining hash rates significantly. This technique, initially integrated into XMRig miners in December 2019, has become common among cryptojacking operations aiming to maximize mining efficiency without detection.
Another variant observed deploys the SilentCryptoMiner—a miner noted for evading security detection by using direct system calls. This miner also disables Windows Sleep and Hibernate modes to ensure uninterrupted mining, establishes persistence via scheduled tasks, and utilizes the "Winring0.sys" driver for CPU tuning.
Persistence and Financial Impact
A key feature of the REF1695 operation is a watchdog process that monitors and restores any removed malicious artifacts or persistence mechanisms, ensuring the longevity and resilience of the infection on victim systems.
The campaign’s profitability is evident, with researchers tracking 27.88 XMR (approximately $9,392 USD) distributed across four cryptocurrency wallets. This indicates steady financial returns for the threat actors behind the attacks.
Abuse of Trusted Platforms to Evade Detection
In an innovative move to reduce detection risks, the operators host staged binaries on GitHub across at least two accounts. By leveraging this reputable platform as a content delivery network (CDN) for payload distribution, they divert download activities away from operator-controlled infrastructure, thereby diminishing the likelihood of triggering security alarms.
Monetization Beyond Cryptomining
Beyond illicit cryptomining, the threat actors also generate income through Cost Per Action (CPA) fraud. Victims are redirected to content locker pages masquerading as software registration portals, further broadening the financial exploitation stemming from the infections.
The discovery of the REF1695 campaign underscores the evolving sophistication of cybercriminals in combining social engineering, technical exploits, and innovative distribution methods. Users and organizations are urged to remain vigilant, exercise caution with unsolicited software installations, and maintain updated security solutions capable of detecting such multifaceted threats.
For continued updates on cybersecurity threats and expert analysis, follow The Hacker News on Google News, Twitter, and LinkedIn.
Topics: Cryptomining, Cybersecurity, Malware, Remote Access Trojan, Microsoft Defender, PowerShell, GitHub
Source: Elastic Security Labs via The Hacker News