Since at least late 2023, a group of hackers known as REF1695 has been running a quiet but highly profitable cryptomining operation by hiding malware inside fake software installers. According to Elastic Security Labs, which discovered the scam, these hackers aren’t looking for a quick payday, and their system is built to stay on your computer for months, hiding in plain sight while draining your processing power for their gain.
The Non-Profit Trap
The scam usually starts with a fake download, often an ISO file. To dodge security checks, the hackers include a ReadMe.txt file that uses social engineering. It claims the software is from a small non-profit team of developers that can’t afford official Windows certificates and is providing the software for free. They talk the user through bypassing SmartScreen by clicking More Info and Run Anyway.
However, instead of the promised software, a series of loaders installs a malicious toolkit including CNB Bot, PureRAT, and SilentCryptoMiner. These tools give the hackers full remote access to your files, the ability to update their malicious code, and the power to hijack your computer’s hardware for cryptocurrency mining.
A Game of Hide and Seek
This attack is clever because of how hard it tries to stay invisible, researchers explained in their blog post. while noticing that the malware constantly monitors the victim’s system for 35 different security tools, from the basic Task Manager to professional software like Wireshark.
If you open one of these, perhaps because your PC feels sluggish, the malware instantly kills the mining process. Your computer’s performance returns to normal, leaving you with nothing to find. Once you close the tool, the miner quietly restarts.
Turning Your PC Into a Cash Cow
The hackers monetize your hardware in two main ways. Through cryptojacking, they use a driver called WinRing0x64.sys to get deep access to your processor, allowing them to mine Monero (XMR) much faster. By extracting data from the malware and monitoring public mining dashboards, researchers found four specific wallets that have already collected over 27.88 Monero (roughly $9,400).
Secondly, victims are tricked into CPA (Cost Per Action) fraud, where they must complete surveys or sign up for trials to unlock a registration key, earning the hackers a commission for every sign-up.
Staying Under the Radar
To stay hidden, the group hosts malicious files on trusted platforms like GitHub and uses high-level RSA-2048 encryption to control their bots. This means even if experts find the control panel, they can’t easily shut it down.
The best protection against this threat is to avoid unofficial installers and cracked software. If a download asks you to manually disable security features, it’s almost certainly a trap.
