Security researchers have identified a sophisticated financially-driven campaign that has been distributing malicious software since late 2023. The operation, tracked under the designation REF1695, uses deceptive installer files to trick users into downloading remote access trojans and cryptocurrency mining tools onto their systems.
The threat actors behind this campaign employ a multi-pronged monetization strategy. Beyond the obvious revenue generated from hijacking computing resources for cryptocurrency mining operations, the group generates additional income through cost-per-action fraud schemes. This involves redirecting infected users to content locker pages that masquerade as legitimate software registration portals, further exploiting victim machines.
The technical approach leverages ISO file attachments as the primary infection vector. By disguising these disk image files as legitimate software installers, the attackers achieve a surprisingly high success rate in social engineering campaigns. Once users execute the malicious installers, their systems become compromised with both remote access trojans and cryptominers operating in the background.
Remote access trojans present a particularly serious threat, as they grant attackers complete control over infected machines. This enables threat actors to steal sensitive data, install additional malware, or use compromised systems as part of larger botnet operations. The addition of cryptocurrency miners compounds the problem by consuming system resources, degrading performance, and increasing electricity costs for victims.
The longevity of this campaign—operating for over a year—suggests the attackers have successfully evaded detection through continuous evolution of their techniques. The combination of RAT deployment and cryptomining, paired with fraudulent monetization schemes, demonstrates the increasingly opportunistic nature of modern cybercrime operations.
Security experts recommend users remain vigilant when downloading software, verify file authenticity through official sources, and maintain updated endpoint protection systems. Organizations should implement strict application whitelisting policies and monitor for unusual network traffic patterns that could indicate compromised systems running unauthorized mining operations.