[{"data":1,"prerenderedAt":148},["ShallowReactive",2],{"article-slug-ref1695-threat-actor-spreads-rats-and-cryptominers-via-fake-installers":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":43,"sources":44,"events":55,"mitre_techniques":59,"mitre_mitigations":76,"d3fend_countermeasures":100,"iocs":115,"cyber_observables":116,"tags":133,"extract_datetime":139,"article_type":140,"impact_scope":141,"pub_date":48,"reading_time_minutes":147,"createdAt":139,"updatedAt":139},"739e0af1-8aa8-4413-88ce-14e29dcab1f1","ref1695-threat-actor-spreads-rats-and-cryptominers-via-fake-installers","REF1695 Campaign Spreads RATs and Cryptominers via Fake Software Installers","REF1695 Threat Actor Uses Bogus Installers on GitHub to Distribute RATs and Cryptominers","A long-running threat campaign, dubbed REF1695, has been active since November 2023, using counterfeit software installers to deliver a variety of malicious payloads. According to Elastic Security Labs, the operation uses ISO file lures to distribute malware including the PureMiner and PureRAT trojans, the CNB Bot implant, and various cryptominers like XMRig. The threat actor leverages GitHub as a content delivery network (CDN) to host its payloads, a tactic designed to evade detection by using a trusted platform.","## Executive Summary\nSecurity researchers at **[Elastic Security Labs](https://www.elastic.co/security-labs/)** have detailed a multi-faceted malware distribution campaign by a threat actor tracked as **REF1695**. Active since at least November 2023, the operation uses malicious ISO files disguised as legitimate software installers to infect victims. These fake installers are used to deploy a range of malware, including the **PureMiner** and **PureRAT** trojans, the **CNB Bot** implant for delivering further payloads, and various cryptocurrency miners such as **SilentCrytoMiner** and **XMRig**. A key tactic of the campaign is its abuse of **[GitHub](https://github.com/)** as a trusted Content Delivery Network (CDN) to host and deliver its malicious binaries, making the activity appear more legitimate and harder to block.\n\n## Threat Overview\n**REF1695** is a financially motivated threat operation focused on deploying Remote Access Trojans (RATs) for system control and cryptominers for resource hijacking. Their primary infection vector is social engineering, luring users into downloading and mounting malicious ISO files that masquerade as popular software.\n\n- **Initial Access:** The attack begins when a user downloads a fake software installer, typically packaged as an ISO file ([`T1566.001 - Spearphishing Attachment`](https://attack.mitre.org/techniques/T1566/001/)). Mounting the ISO reveals a malicious loader.\n- **Execution & Obfuscation:** The loader is often protected with commercial packers like **.NET Reactor** to hinder analysis ([`T1027 - Obfuscated Files or Information`](https://attack.mitre.org/techniques/T1027/)). This loader acts as a dropper for the main payloads.\n- **Payload Delivery:** The campaign leverages GitHub as a C2 and payload distribution CDN ([`T1105 - Ingress Tool Transfer`](https://attack.mitre.org/techniques/T1105/)). By hosting malware on a legitimate, widely trusted platform like GitHub, the attackers' download traffic is more likely to bypass network security controls.\n- **Impact:** The deployed malware varies. **PureRAT** provides the attacker with full remote control over the victim's machine. **CNB Bot** is a modular implant that can inject additional payloads. Cryptominers like **SilentCrytoMiner** and **XMRig** hijack the victim's CPU/GPU resources to mine cryptocurrency ([`T1496 - Resource Hijacking`](https://attack.mitre.org/techniques/T1496/)), leading to performance degradation and increased electricity costs.\n\n## Technical Analysis\nThe use of ISO files is a popular technique to bypass Mark-of-the-Web (MOTW) security controls in Windows, as files inside a mounted ISO may not inherit the flag that triggers security warnings. The REF1695 actor's reliance on GitHub is a strategic choice to improve operational security. It offloads the infrastructure burden to a reputable service, making it harder for defenders to block based on IP or domain reputation alone.\n\nThe **SilentCrytoMiner** payload is noteworthy for its evasion techniques, including the use of direct system calls to bypass EDR hooks and its ability to disable Windows Sleep and Hibernate modes to ensure continuous mining activity. This demonstrates a degree of sophistication aimed at maximizing profit while minimizing the chances of detection.\n\n## Impact Assessment\nThe primary impact of the REF1695 campaign is financial, both directly for the attacker (through cryptomining) and indirectly for the victim (through increased power consumption and system degradation). However, the deployment of **PureRAT** and **CNB Bot** presents a much greater risk. These RATs give the attacker complete control over the compromised system, allowing them to steal sensitive data, install keyloggers, deploy ransomware, or use the machine as a pivot point for further attacks into the victim's network. An infection can quickly escalate from a simple resource hijacking incident to a full-blown data breach.\n\n## Cyber Observables for Detection\n- **Network Traffic:** Monitor for outbound connections to `raw.githubusercontent.com` from unusual processes. While GitHub is legitimate, a non-developer tool making connections to it could be suspicious.\n- **Process Activity:** Look for processes associated with cryptomining, such as `xmrig.exe`. Also, monitor for high, sustained CPU usage from unexpected processes.\n- **File Artifacts:** The use of ISO files (`.iso`) as a delivery mechanism is a key observable. Monitor for the download and mounting of ISO files from untrusted sources.\n- **Persistence:** The malware may create scheduled tasks or registry run keys to maintain persistence. Monitor common persistence locations for new, suspicious entries.\n\n## Detection & Response\n- **Endpoint Monitoring:** Use EDR to detect the execution of binaries from mounted ISO files. Create alerts for high CPU usage that persists for long periods, which is a strong indicator of cryptomining. D3FEND's [`Process Analysis`](https://d3fend.mitre.org/technique/d3f:ProcessAnalysis) can identify the miner processes.\n- **Network Egress Filtering:** While blocking all of GitHub is not feasible for many organizations, it is possible to restrict access to it. Monitor and alert on non-browser and non-developer tool processes connecting to `github.com` or its subdomains. D3FEND's [`Outbound Traffic Filtering`](https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering) can be tuned to spot these anomalies.\n- **User Training:** Educate users about the dangers of downloading software from unofficial sources. Emphasize that even legitimate-looking installers can be malicious.\n\n## Mitigation\n- **Application Control:** Implement application control policies to prevent the execution of unauthorized software. This is the most effective way to stop users from running fake installers. This aligns with [`M1038 - Execution Prevention`](https://attack.mitre.org/mitigations/M1038/).\n- **Block ISO Mounting:** In environments where it is not required for business, consider creating a Group Policy Object (GPO) to block the automatic mounting of ISO files or to disable AutoPlay. This adds a layer of friction that can disrupt the attack chain.\n- **Endpoint Protection:** Ensure antivirus and EDR solutions are up-to-date. Many of the payloads, like XMRig, are well-known, and signature-based detection can be effective against the final payload, even if the loader is obfuscated.","⚠️ A threat actor dubbed REF1695 is using fake software installers in ISO files to spread RATs & cryptominers like PureRAT and XMRig. The campaign abuses GitHub for payload delivery. 💻 #Malware #ThreatIntel #GitHub #CyberSecurity","The REF1695 threat campaign, active since late 2023, uses fake ISO installers and abuses GitHub to distribute a variety of malware, including RATs and cryptominers.",[13,14,15],"Malware","Threat Actor","Phishing","medium",[18,21,25,28,30,32,34,36,39],{"name":19,"type":20},"REF1695","threat_actor",{"name":22,"type":23,"url":24},"Elastic Security Labs","security_organization","https://www.elastic.co/security-labs/",{"name":26,"type":27},"PureMiner","malware",{"name":29,"type":27},"PureRAT",{"name":31,"type":27},"CNB Bot",{"name":33,"type":27},"SilentCrytoMiner",{"name":35,"type":27},"XMRig",{"name":37,"type":38},".NET Reactor","technology",{"name":40,"type":41,"url":42},"GitHub","company","https://github.com/",[],[45,51],{"url":46,"title":47,"date":48,"friendly_name":49,"website":50},"https://www.scmagazine.com/brief/malware/bogus-installers-facilitate-rat-cryptominer-spread-in-long-running-operation","Bogus installers facilitate RAT, cryptominer spread in long-running operation | brief | SC Media","2026-04-03","SC Media","scmagazine.com",{"url":52,"title":53,"date":54,"friendly_name":49,"website":50},"https://www.scmagazine.com/brief/threat-intelligence/widespread-microsoft-365-account-compromise-sought-by-iran-linked-hackers","Widespread Microsoft 365 account compromise sought by Iran-linked hackers | brief","2026-04-01",[56],{"datetime":57,"summary":58},"2023-11-01T00:00:00Z","The REF1695 campaign is first observed to be active.",[60,64,68,72],{"id":61,"name":62,"tactic":63},"T1204.002","Malicious File","Execution",{"id":65,"name":66,"tactic":67},"T1105","Ingress Tool Transfer","Command and Control",{"id":69,"name":70,"tactic":71},"T1496","Resource Hijacking","Impact",{"id":73,"name":74,"tactic":75},"T1027","Obfuscated Files or Information","Defense Evasion",[77,87,91],{"id":78,"name":79,"d3fend_techniques":80,"description":85,"domain":86},"M1038","Execution Prevention",[81],{"id":82,"name":83,"url":84},"D3-EAL","Executable Allowlisting","https://d3fend.mitre.org/technique/d3f:ExecutableAllowlisting","Using application control to prevent users from running unauthorized installers downloaded from the internet is a highly effective mitigation.","enterprise",{"id":88,"name":89,"description":90,"domain":86},"M1017","User Training","Educating users on the dangers of downloading and running software from untrusted sources can help prevent the initial infection.",{"id":92,"name":93,"d3fend_techniques":94,"description":99,"domain":86},"M1049","Antivirus/Antimalware",[95],{"id":96,"name":97,"url":98},"D3-FH","File Hashing","https://d3fend.mitre.org/technique/d3f:FileHashing","Keeping endpoint security software up-to-date can help detect and block known payloads like XMRig, even if the initial loader is novel.",[101,103,109],{"technique_id":82,"technique_name":83,"url":84,"recommendation":102,"mitre_mitigation_id":78},"To combat campaigns like REF1695 that rely on users running fake installers, executable allowlisting is a powerful preventative control. Using a tool like Windows Defender Application Control, administrators can create a policy that only permits signed executables from trusted publishers to run. This would block the malicious, unsigned loaders found inside the ISO files used by REF1695. For environments with developers, policies can be configured to allow specific unsigned code in designated development folders while maintaining strict enforcement everywhere else. This mitigation shifts the security posture from a default-allow (blacklist) to a default-deny (whitelist) model, which is far more effective at stopping novel and socially engineered malware before it can execute.",{"technique_id":104,"technique_name":105,"url":106,"recommendation":107,"mitre_mitigation_id":108},"D3-NTA","Network Traffic Analysis","https://d3fend.mitre.org/technique/d3f:NetworkTrafficAnalysis","To detect REF1695's abuse of GitHub, security teams must perform nuanced network traffic analysis. Since blocking GitHub entirely is impractical, the focus should be on context. Create detection rules that alert when non-standard processes make outbound connections to `raw.githubusercontent.com`. For example, a connection from `winword.exe` or a random process in `C:\\Users\\\u003Cuser>\\AppData\\Local\\Temp\\` is highly suspicious. Baseline normal GitHub traffic from legitimate developer tools (e.g., `git.exe`) and IDEs, then alert on deviations. Furthermore, monitor for the download of executable file types (`.exe`, `.dll`, `.ps1`) from GitHub by any process other than an approved software management tool. This allows the security team to spot the payload download stage of the REF1695 attack chain.","M1031",{"technique_id":110,"technique_name":111,"url":112,"recommendation":113,"mitre_mitigation_id":114},"D3-PH","Platform Hardening","https://d3fend.mitre.org/technique/d3f:PlatformHardening","A key tactic of the REF1695 campaign is using ISO files to bypass Mark-of-the-Web (MOTW) controls. To counter this, organizations can implement platform hardening via Group Policy. A GPO can be created to change the default behavior for `.iso` files, preventing them from being automatically mounted as a drive when double-clicked. Instead, the policy can be set to open them with a tool like 7-Zip, or to do nothing at all. This adds a layer of friction and prevents the seamless execution path the attackers rely on. Additionally, ensure that PowerShell execution policies are set to 'RemoteSigned' or more restrictive settings across the enterprise to prevent the easy execution of downloaded scripts. These hardening steps disrupt the attacker's TTPs and increase the chances of the attack failing.","M1028",[],[117,122,127],{"type":118,"value":119,"description":120,"context":121,"confidence":16},"url_pattern","raw.githubusercontent.com","The domain used by GitHub to serve raw file content. Attackers abuse this to host malicious payloads on a trusted domain.","Proxy logs, DNS logs, Netflow",{"type":123,"value":124,"description":125,"context":126,"confidence":16},"file_name","*.iso","The use of ISO disk image files as a container for malware. Monitor for downloads of ISOs from browsers or email clients.","EDR, File monitoring",{"type":128,"value":129,"description":130,"context":131,"confidence":132},"process_name","xmrig.exe","A common open-source cryptomining process frequently bundled in malware campaigns.","Process monitoring, EDR","high",[134,135,136,40,137,138],"cryptomining","RAT","ISO file","malware delivery","social engineering","2026-04-03T15:00:00.000Z","NewsArticle",{"geographic_scope":142,"industries_affected":143,"other_affected":145},"global",[144],"Other",[146],"General computer users",4,1775683839941]