Attackers use deceptive ISO files and social engineering to deploy stealthy malware and generate illicit revenue
A financially motivated cyber campaign, tracked as REF1695, has been actively targeting users since late 2023 using fake software installers. The operation relies on ISO file lures to trick users into installing malware that includes remote access trojans (RATs) and cryptocurrency miners.
Unlike traditional attacks, this campaign combines social engineering, malware evasion, and multiple monetization strategies, making it both persistent and profitable.
How the Attack Works
The infection chain begins with a seemingly legitimate installer delivered via an ISO file.
Once opened, victims are instructed to:
- Bypass Microsoft Defender SmartScreen
- Click “More info” → “Run anyway”
As a result, users unknowingly execute a malicious loader.
Multi-Stage Malware Execution
After execution, the attack unfolds in several stages:
1. Loader Activation
The ISO file contains:
- A .NET-based loader (protected using obfuscation tools)
- A text file guiding users to bypass security warnings
The loader then initiates PowerShell scripts.
2. Defense Evasion
The malware:
- Adds exclusions to Microsoft Defender
- Disables key protections
- Runs silently in the background
Meanwhile, a fake error message appears to avoid suspicion:
“Unable to launch the application…”
3. Payload Deployment
The campaign deploys a newly identified malware called CNB Bot, which:
- Downloads additional payloads
- Executes remote commands
- Updates itself dynamically
- Cleans traces to avoid detection
It communicates with attackers via HTTP POST requests to a command-and-control (C2) server.
Additional Malware Variants
The campaign is not limited to a single payload. Researchers observed multiple variants, including:
- PureRAT (remote access trojan)
- PureMiner (cryptominer)
- Custom XMRig-based miners
- SilentCryptoMiner (stealth mining malware)
Each variant focuses on maximizing system control and mining efficiency.
Advanced Evasion Techniques
Attackers use several techniques to remain undetected:
- Abuse of legitimate signed drivers (e.g., WinRing0x64.sys)
- Direct system calls to bypass detection
- Disabling sleep and hibernation modes
- Scheduled tasks for persistence
- Watchdog processes to restore deleted malware
These methods ensure the malware continues running even after partial removal.
Monetization Strategy
This campaign uses multiple revenue streams:
- Cryptocurrency mining (Monero)
- CPA (Cost Per Action) fraud via fake registration pages
- Long-term system exploitation
Researchers estimate the attackers have already generated thousands of dollars, showing consistent financial success.
Abuse of Trusted Platforms
To avoid detection, attackers host payloads on trusted platforms like GitHub.
This approach:
- Reduces suspicion
- Bypasses traditional security filters
- Increases success rates
Why This Attack Is Dangerous
This campaign is particularly effective because it:
- Exploits user trust through fake installers
- Uses legitimate tools to evade detection
- Maintains persistence even after removal attempts
- Combines multiple monetization techniques
As a result, both individual users and enterprise systems face significant risk.
How to Stay Protected
To reduce exposure, users and organizations should:
- Avoid downloading software from untrusted sources
- Never bypass security warnings without verification
- Monitor PowerShell activity and endpoint behavior
- Restrict execution of unknown ISO files
- Use advanced endpoint detection solutions
- Regularly audit system processes and scheduled tasks
Strategic Takeaway
Modern malware campaigns are no longer simple infections. Instead, they are well-structured operations designed for long-term profit and persistence.
Attackers now rely on:
- Social engineering
- Trusted platforms
- Multi-stage payloads
Because in today’s threat landscape,
a single careless click can turn a system into a long-term revenue source for attackers.