Fake Software Installers Used to Deploy RATs and Crypto Mining Malware

-


Security researchers at Elastic Security Labs have uncovered an ongoing financially motivated campaign, tracked as REF1695, that has been distributing malware through fake software installers since at least November 2023. The operation combines cryptocurrency mining with Cost Per Action (CPA) fraud, redirecting victims to content locker pages disguised as software registration screens.

How the Attack Works

The infection chain begins with an ISO file, a disk image typically associated with legitimate software, which contains a protected loader and a text file. The instructions inside the file actually guide the victim into bypassing Microsoft Defender SmartScreen, the built-in Windows protection against unrecognized apps, by clicking "More info" and then "Run anyway."

Once executed, the loader calls PowerShell to disable Windows Defender antivirus protections across the board, then silently installs a newly identified malware called CNB Bot. To keep the victim unaware, a fake error message is displayed reading: "Unable to launch the application. Your system may not meet the required specifications."

What CNB Bot Does

CNB Bot acts as a secondary loader, it can download and run additional malicious payloads, update itself, and clean up traces of the infection. It communicates with attacker-controlled infrastructure via standard HTTP requests.

Other payloads deployed in related campaigns include PureRAT, PureMiner, and a custom XMRig loader used to mine Monero (XMR) cryptocurrency. Researchers also observed the use of WinRing0x64.sys, a legitimate but vulnerable signed Windows kernel driver, to gain low-level hardware access and fine-tune the CPU to boost mining performance — a technique seen in multiple cryptojacking campaigns over the years.

SilentCryptoMiner Also in the Mix

A separate campaign linked to the same threat actor was found dropping SilentCryptoMiner, which uses direct system calls to evade security tools, disables Windows Sleep and Hibernate modes to maximize mining uptime, and establishes persistence through a scheduled task. A watchdog process monitors the system and restores any deleted malicious files or persistence entries.

Across four tracked Monero wallets, the operation has accumulated approximately 27.88 XMR, equivalent to around $9,392, indicating a steady, if modest, financial return.

GitHub Used to Distribute Payloads

One notable detail: the attackers are using GitHub as a delivery platform, hosting malicious binaries across two identified accounts. This shifts the download step away from attacker-owned servers to a trusted platform, making detection more difficult for security tools that rely on infrastructure reputation.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more