MEDIUMMalware
Global

Researchers Uncover Mining Operation Using ISO Lures to Spread RATs and Crypto Miners

Thursday, April 2, 2026 at 11:42 AM UTC·Source: The Hacker News

Updated: Thursday, April 2, 2026 at 04:49 PM UTC

Executive Summary

A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic

Analysis

A financially motivated operation codenamed REF1695 has been observed leveraging fake installers to deploy remote access trojans (RATs) and cryptocurrency miners since November 2023. "Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration," Elastic
Source Attribution

Originally published by The Hacker News on Apr 2, 2026.

Related Threats

MEDIUMMalware

Claude Code leak used to push infostealer malware on GitHub

Threat actors are exploiting the recent Claude Code source code leak by using fake GitHub repositories to deliver Vidar information-stealing malware. [...]

BleepingComputer
MEDIUMMalware

Bank Trojan 'Casbaneiro' Worms Through Latin America

Augmented Marauder's multipronged banking-Trojan cyber campaigns are targeting Spanish speakers, evading detection, and replicating rapidly.

Dark Reading
MEDIUMMalware

GitHub Used as Covert Channel in Multi-Stage Malware Campaign

LNK files use GitHub C2, embedded decoders and PowerShell for persistence and data exfiltration

Infosecurity Magazine