Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Home/Threats/Fake Installers Drop RATs and Monero Miners in Ongoing Malware Campaign
Threats

Fake Installers Drop RATs and Monero Miners in Ongoing Malware Campaign

Key Takeaways A financially motivated threat actor has been deploying fake software installers since at least late 2023, delivering remote access trojans (RATs) and Monero miners. The campaign,...

Jennifer sherman
Jennifer sherman
April 7, 2026 4 Min Read
39 0

Key Takeaways

  • A financially motivated threat actor has been deploying fake software installers since at least late 2023, delivering remote access trojans (RATs) and Monero miners.
  • The campaign, tracked as REF1695, uses sophisticated evasion techniques, including disabling Microsoft Defender and pausing crypto-mining when security tools are detected.
  • The attacker profits from cryptocurrency mining and Cost Per Action (CPA) fraud, having accumulated approximately $9,392 in Monero.

Long-Running Malware Campaign Uses Fake Installers to Drop RATs and Monero Miners

A persistent and financially driven malware campaign, active since at least late 2023, is deceiving users into downloading malicious software disguised as legitimate installers. This operation covertly deploys remote access trojans (RATs) and Monero cryptocurrency miners onto victim systems. For an in-depth analysis, a comprehensive report is available here.

Table Of Content

  • Key Takeaways
  • Long-Running Malware Campaign Uses Fake Installers to Drop RATs and Monero Miners
  • Inside the Infection Chain
  • What You Should Do

Designated REF1695, this campaign has maintained a low profile for over two years, continuously refining its arsenal while largely evading detection by its targets.

The attackers present victims with what appears to be a standard software installation. This often includes a progress bar or even a fabricated error message indicating a failure due to missing system requirements. These deceptive elements serve as a diversion, preventing users from realizing that malicious software is being installed in the background.

Researchers at Elastic Security Labs uncovered this operation and documented its evolution across multiple campaign iterations dating back to November 2023.

Their investigation identified four distinct variants of the campaign, each utilizing a different combination of malware, including PureRAT, CNB Bot, PureMiner, a custom XMRig loader, AsyncRAT, PulsarRAT, and SilentCryptoMiner. Despite the varied payloads, all campaigns shared common packing techniques involving Themida, WinLicense, and .NET Reactor, alongside interconnected command-and-control (C2) infrastructure. These consistencies strongly suggest a single threat actor is behind the entire operation.

In addition to cryptocurrency mining, the attacker leverages Cost Per Action (CPA) fraud. Victims are redirected to fraudulent registration pages where they are prompted to complete surveys or sign up for services, generating a commission for the attacker with each successful completion. The combined revenue from CPA fraud and Monero mining has enabled the operator to accumulate over 27.88 XMR, valued at approximately $9,392, across four monitored wallets as of the time of reporting.

The campaign’s longevity is particularly notable. Over two years, the attacker has consistently updated their tools, reconfigured their operations, and exploited legitimate platforms like GitHub to host payloads, all while maintaining the same deceptive installer approach.

Inside the Infection Chain

The attack begins when a user executes what they believe to be a legitimate software installer. In the most recent iteration of the campaign, the malware is delivered as an ISO image containing only two files: a .NET loader and a ReadMe.txt.

The ReadMe.txt file attempts to rationalize the lack of proper code-signing by claiming the software originates from a small, underfunded team. It then provides instructions for bypassing Windows SmartScreen warnings, a tactic designed to convince unsuspecting users to proceed.

Upon execution, the loader immediately adds itself and critical system directories to Microsoft Defender’s exclusion list, effectively rendering it invisible to the built-in antivirus solution.

Subsequently, it drops and executes the CNB Bot implant. Simultaneously, a fake error message is displayed to the victim, stating that the installation failed due to unmet system requirements. This misdirection ensures the user remains oblivious while the infection silently takes hold.

CNB Bot is a newly documented .NET implant that establishes communication with its command-and-control server every ten minutes via a scheduled Windows task. Each command received by the bot must undergo an RSA-2048 signature verification before execution. This robust security measure prevents unauthorized instructions from being sent to infected machines, even if an external party gains access to the C2 server, without possessing the operator’s private key.

One of the most sophisticated evasion techniques employed in this campaign involves the custom XMRig loader. This loader actively monitors for a hardcoded list of 35 security and monitoring tools running on the system. The moment any of these tools are detected, the miner immediately ceases operations, causing CPU usage to return to normal levels. Once the user closes the security tool, mining silently resumes, leaving no immediate trace of its activity.

What You Should Do

  • Always download software exclusively from official, verified vendor websites.
  • Never bypass security warnings, such as Windows SmartScreen, even if instructed to do so by a downloaded file. Legitimate software typically does not require such actions.
  • Ensure your antivirus software and endpoint detection and response (EDR) tools are consistently updated and actively running.
  • Monitor your system for unusual CPU spikes, unexpected network connections, or unknown scheduled tasks. Report any suspicious activity to your IT or cybersecurity team immediately.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Windows Defender Flaw (CVE-2024-XXXX) Lets Attackers Gain Admin Privileges

Next Post

Russian Hackers Exploit Routers in Massive DNS Hijacking Attack

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
FBI Warns TeamPCP Hackers Exploit Developer Tools in Supply Chain Attacks
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us