Fake Installers Drop RATs and Monero Miners in Ongoing Malware Campaign
Key Takeaways A financially motivated threat actor has been deploying fake software installers since at least late 2023, delivering remote access trojans (RATs) and Monero miners. The campaign,...
Key Takeaways
- A financially motivated threat actor has been deploying fake software installers since at least late 2023, delivering remote access trojans (RATs) and Monero miners.
- The campaign, tracked as REF1695, uses sophisticated evasion techniques, including disabling Microsoft Defender and pausing crypto-mining when security tools are detected.
- The attacker profits from cryptocurrency mining and Cost Per Action (CPA) fraud, having accumulated approximately $9,392 in Monero.
Long-Running Malware Campaign Uses Fake Installers to Drop RATs and Monero Miners
A persistent and financially driven malware campaign, active since at least late 2023, is deceiving users into downloading malicious software disguised as legitimate installers. This operation covertly deploys remote access trojans (RATs) and Monero cryptocurrency miners onto victim systems. For an in-depth analysis, a comprehensive report is available here.
Table Of Content
Designated REF1695, this campaign has maintained a low profile for over two years, continuously refining its arsenal while largely evading detection by its targets.
The attackers present victims with what appears to be a standard software installation. This often includes a progress bar or even a fabricated error message indicating a failure due to missing system requirements. These deceptive elements serve as a diversion, preventing users from realizing that malicious software is being installed in the background.
Researchers at Elastic Security Labs uncovered this operation and documented its evolution across multiple campaign iterations dating back to November 2023.
Their investigation identified four distinct variants of the campaign, each utilizing a different combination of malware, including PureRAT, CNB Bot, PureMiner, a custom XMRig loader, AsyncRAT, PulsarRAT, and SilentCryptoMiner. Despite the varied payloads, all campaigns shared common packing techniques involving Themida, WinLicense, and .NET Reactor, alongside interconnected command-and-control (C2) infrastructure. These consistencies strongly suggest a single threat actor is behind the entire operation.
In addition to cryptocurrency mining, the attacker leverages Cost Per Action (CPA) fraud. Victims are redirected to fraudulent registration pages where they are prompted to complete surveys or sign up for services, generating a commission for the attacker with each successful completion. The combined revenue from CPA fraud and Monero mining has enabled the operator to accumulate over 27.88 XMR, valued at approximately $9,392, across four monitored wallets as of the time of reporting.
The campaign’s longevity is particularly notable. Over two years, the attacker has consistently updated their tools, reconfigured their operations, and exploited legitimate platforms like GitHub to host payloads, all while maintaining the same deceptive installer approach.
Inside the Infection Chain
The attack begins when a user executes what they believe to be a legitimate software installer. In the most recent iteration of the campaign, the malware is delivered as an ISO image containing only two files: a .NET loader and a ReadMe.txt.
The ReadMe.txt file attempts to rationalize the lack of proper code-signing by claiming the software originates from a small, underfunded team. It then provides instructions for bypassing Windows SmartScreen warnings, a tactic designed to convince unsuspecting users to proceed.
Upon execution, the loader immediately adds itself and critical system directories to Microsoft Defender’s exclusion list, effectively rendering it invisible to the built-in antivirus solution.
Subsequently, it drops and executes the CNB Bot implant. Simultaneously, a fake error message is displayed to the victim, stating that the installation failed due to unmet system requirements. This misdirection ensures the user remains oblivious while the infection silently takes hold.
CNB Bot is a newly documented .NET implant that establishes communication with its command-and-control server every ten minutes via a scheduled Windows task. Each command received by the bot must undergo an RSA-2048 signature verification before execution. This robust security measure prevents unauthorized instructions from being sent to infected machines, even if an external party gains access to the C2 server, without possessing the operator’s private key.
One of the most sophisticated evasion techniques employed in this campaign involves the custom XMRig loader. This loader actively monitors for a hardcoded list of 35 security and monitoring tools running on the system. The moment any of these tools are detected, the miner immediately ceases operations, causing CPU usage to return to normal levels. Once the user closes the security tool, mining silently resumes, leaving no immediate trace of its activity.
What You Should Do
- Always download software exclusively from official, verified vendor websites.
- Never bypass security warnings, such as Windows SmartScreen, even if instructed to do so by a downloaded file. Legitimate software typically does not require such actions.
- Ensure your antivirus software and endpoint detection and response (EDR) tools are consistently updated and actively running.
- Monitor your system for unusual CPU spikes, unexpected network connections, or unknown scheduled tasks. Report any suspicious activity to your IT or cybersecurity team immediately.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.