A financially motivated operation codenamed REF1695 has been observed since November 2023 using fake installers to deploy remote access trojans (RATs) and cryptocurrency miners, according to Elastic Security Labs researchers Jia Yu Chan, Cyril François, and Remco Sprooten. The group has expanded to deliver a previously undocumented .NET implant named CNB Bot, with the ISO file infection vector delivering a .NET Reactor-protected loader and a user instruction text file to bypass Defender SmartScreen protections.
CNB Bot acts as a loader that can download and execute additional payloads, update itself, uninstall and perform cleanup, and it communicates with its C2 server via HTTP POST requests. Elastic noted that other campaigns from the same actor have used ISO lures to deploy PureRAT, PureMiner, and a bespoke .NET-based XMRig loader, with WinRing0x64[.]sys utilised to optimise CPU performance for mining.
The operation is contributing financially, with 27.88 XMR ($9,392) reportedly earned across four tracked wallets, and the actor also leverages GitHub as a payload delivery CDN to reduce detection friction.