Elastic Security Labs has identified a financially motivated operation designated REF1695, active since late 2023. The threat actor utilizes a complex infection chain involving fake software installers and ISO images to deploy a variety of Remote Access Trojans (RATs) such as PureRAT and AsyncRAT, custom cryptominers, and a previously undocumented .NET implant called CNB Bot. The operator monetizes these infections through two primary streams: XMR (Monero) mining and Cost Per Action (CPA) fraud, where victims are tricked into completing offers on content locker pages to "unlock" software registration keys.
The operation is characterized by its consistent use of multi-layered packing—specifically a combination of Themida and .NET Reactor—and the abuse of GitHub as a content delivery network for malicious payloads. Advanced evasion techniques are a hallmark of the campaign, including the use of direct syscalls to bypass NTDLL monitoring, the automated termination of mining processes when analysis tools are detected, and the modification of Model Specific Registers (MSR) via the WinRing0 driver to optimize mining hash rates. Researchers successfully leveraged an agentic AI pipeline to automate the deobfuscation and configuration extraction of hundreds of these infection chains.
Top comments (0)