A financially motivated cybercriminal operation designated REF1695 has been actively distributing remote access trojans (RATs) and cryptocurrency miners through fake software installers since November 2023. The threat actors use ISO file lures to trick victims into downloading and executing malicious software that appears to be legitimate applications.
According to Elastic researchers, the operation extends beyond traditional cryptomining activities to include Cost Per Action (CPA) fraud schemes. Victims are redirected to content locker pages that masquerade as software registration portals, generating additional revenue streams for the attackers through fraudulent user interactions.