Fake software installers have been deploying RATs, crypto miners, and a new .NET implant since November 2023. Elastic Security Labs published its analysis of the operation, tracked as REF1695, on March 31, 2026. The firm traced 27.88 XMR ($9,392) in mining payouts across four wallets.
The latest iteration delivers a malware called CNB Bot through ISO files. Each ISO contains a .NET Reactor-protected loader (additionally packed with Themida/WinLicense 3.x) and a ReadMe.txt with explicit step-by-step instructions for bypassing Windows SmartScreen. No legitimate software is installed at any point.
The ReadMe frames the binary as a non-profit project that cannot afford EV code-signing. It tells the victim to click "More info" and then "Run anyway" when SmartScreen fires. The ClickFix pattern from the DeepLoad campaign uses the same principle. Attackers convince users to override security controls themselves.
PowerShell runs next, setting broad Microsoft Defender exclusions across %TEMP%, %LocalAppData%, and the loader path. CNB Bot launches in the background. The user sees a fake error about system specifications.
CNB Bot is a .NET implant not previously documented. It communicates with C2 servers via HTTP POST and supports three operator commands. Download and execute payloads, update itself, or uninstall with cleanup. Elastic found bot version 1.1.6 with campaign identifier "03_26" (March 2026).
Persistence uses a scheduled task named HostDataPlugin. C2 URLs, mutex name, auth token, and communications key are AES-256-CBC encrypted with a hardcoded 32-byte key that changes across campaign batches.
Malware researcher @ViriBack discovered a related C2 panel at win64autoupdates[.]top/CNB/l0g1n234[.]php on January 31, 2026. The panel has since been taken offline. The ISO file format has historically been used to bypass Mark of the Web (MOTW) tagging, though Microsoft patched the primary bypass in November 2022.
This technique shifts the download-and-execute step away from operator-controlled infrastructure to a trusted platform, reducing detection friction.
— Elastic Security Labs, describing REF1695's use of GitHub as a payload delivery CDN
REF1695 runs multiple parallel campaigns through consistent packing, overlapping C2 infrastructure, and shared social engineering patterns. The operator hosts staged binaries on GitHub across two identified accounts, using GitHub's CDN as a payload delivery platform. Beyond CNB Bot, the toolset includes PureRAT (v3.0.1), PureMiner, a custom .NET-based XMRig loader, and SilentCryptoMiner.
The XMRig campaigns abuse WinRing0x64.sys, a legitimate signed Windows kernel driver. The driver provides kernel-level hardware access to modify CPU settings and boost hash rates. XMRig added WinRing0 support in December 2019. SilentCryptoMiner disables Windows Sleep and Hibernate modes to keep mining running continuously and includes a watchdog that restores artefacts and persistence if deleted.
$9,400 over 29 months, roughly $3,900 per year across four wallets. REF1695 is not an APT. It is a low-tier, high-volume commodity operation where many infections yield small per-infection returns. The addition of CPA advertising fraud and RAT access (monetisable through credential theft or access resale) supplements the mining income.
REF1695 also generates revenue through CPA (cost-per-action) fraud. The operator directs victims to content locker pages disguised as software registration, generating per-action advertising revenue.
Defenders should watch for WinRing0x64.sys driver loads and PowerShell commands creating broad Defender exclusions. Scheduled tasks with generic names like HostDataPlugin are another indicator. Block win64autoupdates[.]top and audit GitHub-hosted binary downloads in network logs. Elastic published IOCs, YARA rules, and detection signatures in the full report.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
