🦠 Ransomware & Malware

REF1695's ISO Trick: $9K Crypto Haul from Fake Installers and RATs

Forget flashy ransomware. This crew's quietly mined 27.88 XMR — that's $9,392 — by tricking users with ISO lures since late 2023. But the real scam? RATs and fraud on top.

Aisha Patel 📅 Apr 03, 2026 ⏱️ 4 min read 👁️ 0 views

Attack chain diagram showing REF1695 ISO lure deploying CNB Bot and XMRig miner

⚡ Key Takeaways

REF1695 nets $9K+ via ISO-delivered miners, RATs, and CPA fraud since 2023.
Abuses GitHub as CDN and signed WinRing0 driver for stealth and speed.
Evolving from single-trick to diversified ops — watch for cross-platform jumps.

🧠 What's your take on this?

Cast your vote and see what Threat Digest readers think

Written by

Aisha Patel

Former ML engineer turned writer. Covers computer vision and robotics with a practitioner perspective.

#CNB Bot #ISO lures #REF1695 #cryptomining

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

REF1695's ISO Trick: $9K Crypto Haul from Fake Installers and RATs

⚡ Key Takeaways

The 60-Second TL;DR

🧠 What's your take on this?

Community Consensus

Aisha Patel

Worth sharing?

⚡ Key Takeaways

The 60-Second TL;DR

🧠 What's your take on this?

Community Consensus

Aisha Patel

Share this article

Worth sharing?

Related Stories

0ktapus Phishing Snags 10,000 Credentials Across 130 Companies—Your MFA Is the Weak Link

Claude Code's 50-Command Cap: The Bypass That Unlocks Your Dev Machine

FBI, CISA Blast: Russian Phishers Hijacking Signal and WhatsApp Accounts Worldwide

Red Ladon Poisons Australian News Sites with ScanBox Keyloggers

Stay in the loop