Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Researchers Expose Cyber Scheme Using Fake Installers

Researchers Expose Cyber Scheme Using Fake Installers

Posted on April 2, 2026 By CWS

In a significant cybersecurity revelation, a financially driven cyber operation, named REF1695, has been actively distributing remote access trojans (RATs) and cryptocurrency mining software using counterfeit installers since November 2023. Elastic Security Labs, with researchers Jia Yu Chan, Cyril François, and Remco Sprooten, highlighted that the operation, beyond cryptomining, also profits from CPA fraud by leading users to misleading content registration pages.

The campaign’s latest versions have introduced a novel .NET implant known as CNB Bot. These attacks exploit ISO files to deploy a .NET Reactor-protected loader alongside a text file, instructing users on bypassing Microsoft Defender SmartScreen to run unverified applications by selecting ‘More info’ and ‘Run anyway’.

Technical Details and Infection Process

The infection process involves a loader that initiates PowerShell to configure Microsoft’s antivirus exclusions, allowing CNB Bot to operate undetected. Users encounter an error message stating that their system cannot launch the application, suggesting support contact. CNB Bot acts as a loader with functionalities for downloading and executing additional payloads, self-updating, and performing cleanup operations to erase traces, communicating with a command-and-control (C2) server via HTTP POST requests.

Similar operations by the threat actor employ ISO files to spread PureRAT, PureMiner, and a custom XMRig loader. This loader fetches mining configurations from a hard-coded URL to activate the miner. In the FAUX#ELEVATE campaign, a legitimate yet vulnerable Windows kernel driver, ‘WinRing0x64.sys’, is exploited to access hardware at the kernel level, optimizing CPU settings for enhanced hash rates, a tactic used in cryptojacking since December 2019.

Impact and Financial Gains

The operation has also been linked to deploying SilentCryptoMiner, which uses direct system calls to remain undetected, disables Windows sleep and hibernate functions, and establishes persistence through scheduled tasks. It too employs the ‘Winring0.sys’ driver to optimize CPU performance for mining. A watchdog process ensures that malicious components and persistence techniques are reinstated if removed. This campaign has reportedly amassed 27.88 XMR, equivalent to $9,392, indicating substantial financial benefits.

Infrastructure and Defense Strategies

Elastic Security noted the use of GitHub as a delivery platform for payloads, with staged binaries hosted across two accounts. This approach shifts the download and execution processes from attacker-controlled infrastructure to a reputable platform, thereby reducing detection possibilities. The use of such trusted platforms makes defense strategies more challenging, emphasizing the need for improved detection and response mechanisms.

This revelation underscores the evolving tactics of cybercriminals, highlighting the importance of robust cybersecurity measures and vigilance against sophisticated cyber schemes.

The Hacker News Tags:CNB Bot, Cryptomining, cyber threats, Cybersecurity, Elastic Security, GitHub, ISO files, Malware, Microsoft Defender, RATs

Post navigation

Previous Post: Critical Cisco Flaw Allows Remote Command Execution
Next Post: Data Breach Affects 250,000 at Nacogdoches Hospital

Related Posts

How to Use Ringfencing to Prevent the Weaponization of Trusted Software How to Use Ringfencing to Prevent the Weaponization of Trusted Software The Hacker News
UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns UNG0002 Group Hits China, Hong Kong, Pakistan Using LNK Files and RATs in Twin Campaigns The Hacker News
Malware Compromises DAEMON Tools in Supply Chain Attack Malware Compromises DAEMON Tools in Supply Chain Attack The Hacker News
Transforming Your Cybersecurity Practice Into An MRR Machine Transforming Your Cybersecurity Practice Into An MRR Machine The Hacker News
Why Built-In Protections Aren’t Enough for Modern Data Resilience Why Built-In Protections Aren’t Enough for Modern Data Resilience The Hacker News
MSS Claims NSA Used 42 Cyber Tools in Multi-Stage Attack on Beijing Time Systems MSS Claims NSA Used 42 Cyber Tools in Multi-Stage Attack on Beijing Time Systems The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud
  • Top Post-Quantum Cryptographic Solutions for 2026

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark