199/69 Thursday, April 9, 2026
Security researchers from Elastic Security Labs have uncovered a malware campaign linked to the threat group REF1695, active since late 2023. The attackers distribute malware through fake software installers packaged as ISO files. A key tactic in this campaign is the use of social engineering via a ReadMe.txt file, which claims the developers are a small non-profit team lacking the budget to purchase a Windows EV code-signing certificate. This story is used to trick users into bypassing SmartScreen protections and manually executing malicious files under the false assumption that the software is legitimate.
Once installed, multiple malware families-including CNB Bot, PureRAT, and SilentCryptoMiner-are deployed on the victim’s system to enable remote control and cryptocurrency mining. One of the most concerning capabilities is their advanced evasion technique: the malware continuously monitors for over 35 system analysis tools, such as Task Manager or Wireshark. If a user opens these tools-often due to noticing system slowdowns-the malware immediately pauses its mining activity to avoid detection. Once the monitoring tools are closed, the malware resumes mining Monero (XMR) in the background, generating continuous revenue for the attackers.
Investigations show that the group has already earned over $9,400 USD from crypto mining, leveraging the WinRing0x64.sys driver to access low-level system resources. Additionally, the campaign includes CPA (Cost-Per-Action) fraud, where victims are tricked into completing surveys or signing up for services in exchange for fake software license keys, generating extra commissions for the attackers. To stay safe, users should avoid downloading pirated software or files from untrusted sources and be especially cautious of any instructions that suggest disabling security features or bypassing SmartScreen warnings—these are clear red flags that the software may be malicious.
Source https://hackread.com/hackers-non-profit-developers-monero-mining-malware/