Skip to main content
Emerging ThreatsMalware & Ransomware

Fake ISO Installers Spread RATs, Crypto Miners in Global Campaign

Fake ISO Installers Spread RATs, Crypto Miners in Global Campaign

"Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic warned — a concise description of an operation that has quietly persisted for more than two years. What happens when seemingly legitimate installers become the Trojan horse for a financially motivated campaign?

Discovery and scope

Researchers have identified a financially motivated operation, codenamed REF1695, that has been active since November 2023. According to reporting on the activity, the operation leverages fake installers to deliver malicious payloads. The disclosed activity places REF1695 within a class of campaigns that combine multiple monetization techniques rather than relying on a single method.

Techniques observed

The operation uses counterfeit installers as the initial vector to deploy two types of payloads explicitly reported by researchers: remote access trojans (RATs) and cryptocurrency miners. In addition to those payloads, Elastic says the actor also monetizes compromises through CPA (Cost Per Action) fraud, steering victims to content locker pages presented as software registration processes.

Why this matters — multiple perspectives

The activity described raises a set of questions for different stakeholders. For technologists, the presence of fake installers as the delivery mechanism calls for scrutiny of distribution channels, packaging practices, and detection opportunities. For policymakers, the blend of cryptomining and CPA-style monetization highlights how financially driven campaigns can adopt layered business models to extract value. For users, the report underscores the challenge of distinguishing legitimate installation experiences from those designed to steer victims toward monetization pages. And for adversaries, the combined use of payloads and fraud illustrates an operational approach that mixes direct monetization with deceptive ecosystems.

Looking ahead

REF1695’s use of multiple monetization techniques — RATs, cryptomining and CPA fraud routed through content lockers — suggests researchers and defenders will need to track not just individual tools but the broader workflows that connect delivery, payload, and monetization. How defenders, platform providers and investigators respond to the tactic of disguising monetization under the guise of software registration will shape whether similar operations can be detected and disrupted effectively.

Source: https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html