Researchers at **Elastic Security Labs** have uncovered details about **REF1695**, a campaign using fake installers to deploy malware. According to Jia Yu Chan, Cyril François, and Remco Sprooten, the group monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration. ### CNB Bot: A New .NET Implant Recent iterations of the **REF1695** campaign involve the delivery of a new .NET implant called **CNB Bot**. The attack chain starts with an ISO file containing a .NET Reactor-protected loader and a text file. The text file instructs the user to bypass **Microsoft Defender SmartScreen** by clicking "More info" and "Run anyway." The loader executes a **PowerShell** script that configures broad **Microsoft Defender Antivirus** exclusions. This allows **CNB Bot** to launch in the background while displaying a fake error message to the user. **CNB Bot** acts as a loader, downloading and executing further payloads, updating itself, and performing cleanup to remove traces of the infection. It communicates with its command-and-control (C2) server using HTTP POST requests. ### RATs, Miners, and Kernel Exploitation Other campaigns linked to this threat actor have used similar ISO lures to deploy **PureRAT**, **PureMiner**, and a custom .NET-based **XMRig** loader. The **XMRig** loader fetches mining configurations from a hard-coded URL and launches the miner payload. Like the **FAUX#ELEVATE** campaign, **REF1695** abuses "WinRing0x64.sys," a legitimate but vulnerable Windows kernel driver, to gain kernel-level hardware access. This allows the attackers to modify CPU settings to boost hash rates for improved mining performance. The use of this driver has been observed in many cryptojacking campaigns and was integrated into **XMRig** miners in December 2019. ### SilentCryptoMiner and Persistence Mechanisms **Elastic** also identified campaigns deploying **SilentCryptoMiner**. This miner uses direct system calls to evade detection and disables Windows Sleep and Hibernate modes. It establishes persistence via a scheduled task and utilizes the "Winring0.sys" driver to optimize CPU settings for mining. The attackers employ a watchdog process to ensure malicious artifacts and persistence mechanisms are restored if deleted. The campaign has reportedly accumulated 27.88 XMR (approximately $9,392) across four tracked wallets. ### Abusing GitHub for Payload Delivery The threat actors are also abusing **GitHub** as a payload delivery CDN, hosting binaries across multiple accounts. This technique shifts the download-and-execute step to a trusted platform, reducing detection friction.