REF1695

REF1695 is a threat cluster tracked by Elastic Security Labs that has operated since at least late 2023, using counterfeit software installers, often packaged as ISO files, to deliver remote access trojans and cryptocurrency mining malware. The operation relies on social engineering, including ReadMe.txt instructions that persuade victims to bypass Windows SmartScreen, after which multiple malicious components are installed instead of legitimate software. Reported payloads and tooling associated with REF1695 include CNB Bot, PureRAT, PureMiner, SilentCryptoMiner, and a custom .NET-based XMRig loader. CNB Bot enables further payload injection, while the malware set provides remote access, persistence, code update capability, and cryptomining functionality. The operation is designed for long-term residence and evasion: the malware monitors for 35 security and analysis tools, including Task Manager and Wireshark, and temporarily stops mining when such tools are opened before restarting afterward. SilentCryptoMiner reportedly uses direct system calls and disables Windows Sleep and Hibernate modes. The campaign also uses the WinRing0x64.sys driver for deep processor access, abuses GitHub as a trusted payload delivery platform by hosting staged binaries on identified accounts, and uses RSA-2048 encryption for bot control. Monetization includes Monero mining and CPA fraud, with victims prompted to complete surveys or trial sign-ups to unlock registration keys; researchers identified four Monero wallets linked to the operation that collected more than 27.88 XMR. No additional aliases or sub-groups are directly mentioned in the provided content.