Full Report
A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic
Analysis Summary
# Threat Actor: REF1695
## Attribution & Identity
**REF1695** is a financially motivated threat actor group first identified by researchers at Elastic Security Labs. There are no currently public links to known state-sponsored groups; the actor appears to be an independent cybercriminal entity focused on multi-stream monetization.
## Activity Summary
Active since at least November 2023, REF1695 specializes in the distribution of commodity and bespoke malware through deceptive software installers. Their operations focus on persistent cryptojacking and multi-faceted fraud. Recent campaigns (circa early 2026) have introduced a new proprietary implant and sophisticated evasion techniques to bypass modern OS security features.
## Tactics, Techniques & Procedures
- **Social Engineering:** Leveraging ISO lures disguised as legitimate software installers with explicit text-based instructions to bypass security warnings.
- **Defense Evasion:**
- Using **.NET Reactor** to protect loaders.
- Instructing users to bypass **Microsoft Defender SmartScreen**.
- Executing PowerShell scripts to configure broad **Microsoft Defender Antivirus exclusions**.
- Distributing payloads via **GitHub** (using it as a trusted CDN to host binaries).
- Utilizing direct system calls and watchdog processes to maintain persistence and evade monitoring.
- **Privilege Escalation & Exploitation:** Utilizing the "Bring Your Own Vulnerable Driver" (BYOVD) technique by deploying `WinRing0x64.sys` to obtain kernel-level access.
- **Monetization:**
- **Cryptojacking:** Deployment of miners to harvest Monero (XMR).
- **CPA Fraud:** Redirecting victims to content locker pages and fake software registration forms for affiliate revenue.
- **MITRE ATT&CK IDs:**
- **T1566.001:** Phishing: Spearphishing Attachment (ISO lures)
- **T1059.001:** Command and Scripting Interpreter: PowerShell
- **T1562.001:** Impair Defenses: Disable or Modify Tools (Defender exclusions)
- **T1053.005:** Scheduled Task/Job: Scheduled Task (Persistence)
- **T1068:** Exploitation for Privilege Escalation (WinRing0x64.sys)
- **T1102:** Web Service (GitHub for payload delivery)
## Targeting
- **Sectors:** Unspecified/Opportunistic. The use of fake software installers typically targets broad demographics seeking pirated or utility software.
- **Geography:** Global, though specific mention was made of operations affecting Russian users in related SilentCryptoMiner campaigns.
- **Victims:** General users and enterprise workstations compromised via "shadow IT" or unauthorized software downloads.
## Tools & Infrastructure
- **Malware Families:**
- **CNB Bot:** A previously undocumented .NET implant used for downloading payloads and system cleanup.
- **PureRAT:** Commercial remote access trojan.
- **PureMiner / SilentCryptoMiner:** Malware designed for stealthy background cryptomining.
- **XMRig:** Open-source Monero miner (often used with a bespoke .NET loader).
- **Infrastructure:**
- **GitHub:** Used as a payload delivery CDN across at least two identified accounts.
- **C2:** HTTP POST-based command-and-control servers.
- **Wallets:** Four tracked Monero wallets (accumulating approx. 27.88 XMR).
- **Defanged Assets:** `WinRing0x64[.]sys`, `Winring0[.]sys`
## Implications
REF1695 represents a trend of "blended" monetization where actors do not rely solely on one method (like ransomware), but instead combine long-term passive income (mining) with immediate fraud (CPA content lockers). Their use of kernel-level drivers to optimize hardware for mining demonstrates a higher technical proficiency than standard "script kiddie" operations, increasing the risk of system instability and deep persistence on infected hosts.
## Mitigations
- **Software Management:** Implement strict application allowlisting to prevent the execution of unrecognized ISO files and unauthorized installers.
- **EDR Configuration:** Monitor for PowerShell activity that attempts to modify Microsoft Defender exclusion lists (e.g., `Set-MpPreference -ExclusionPath`).
- **Driver Blocking:** Utilize Microsoft's vulnerable driver blocklist to prevent the loading of known exploitable drivers like `WinRing0x64.sys`.
- **Educational Awareness:** Train users to identify fake "SmartScreen" bypass instructions often found in README files accompanying pirated software.
- **Network Monitoring:** Alert on outbound traffic to known mining pools and unauthorized GitHub repository downloads of binary files.