Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Elastic Security researchers have identified a financially motivated threat operation codenamed REF1695, active since November 2023, distributing RATs and cryptocurrency miners through fake software installers disguised as ISO files. The campaign employs social engineering tactics, luring victims with fraudulent software registration pages. Beyond cryptomining, the threat actors monetize compromised systems through Cost Per Action (CPA) fraud, redirecting victims to content locker pages. Organizations should implement robust email filtering, user awareness training, and endpoint detection solutions to mitigate risks from fake installer attacks and unauthorized cryptomining activities.

A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic

Elastic Security researchers have identified a financially motivated threat operation codenamed REF1695, active since November 2023, distributing RATs and cryptocurrency miners through fake software installers disguised as ISO files. The campaign employs social engineering tactics, luring victims with fraudulent software registration pages. Beyond cryptomining, the threat actors monetize compromised systems through Cost Per Action (CPA) fraud, redirecting victims to content locker pages. Organizations should implement robust email filtering, user awareness training, and endpoint detection solutions to mitigate risks from fake installer attacks and unauthorized cryptomining activities. A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic