REF1695's a cyber op using ISO file lures to drop RATs like CNB Bot, PureRAT, and cryptominers like XMRig or SilentCryptoMiner, plus CPA fraud for extra cash.

How do ISO lures bypass Microsoft Defender?

ISO mounts like a drive, drops a protected loader with manual bypass instructions for SmartScreen, then PowerShell adds AV exclusions while faking an error.

Is GitHub safe for downloads?

Mostly, but threat actors hide payloads there as CDN. Scan everything, check repos, use enterprise proxies.

🦠 Ransomware & Malware

REF1695's ISO Trick: $9K Crypto Haul from Fake Installers and RATs

Forget flashy ransomware. This crew's quietly mined 27.88 XMR — that's $9,392 — by tricking users with ISO lures since late 2023. But the real scam? RATs and fraud on top.

Threat Digest Apr 03, 2026 4 min read 10 views

Attack chain diagram showing REF1695 ISO lure deploying CNB Bot and XMRig miner

⚡ Key Takeaways

REF1695 nets $9K+ via ISO-delivered miners, RATs, and CPA fraud since 2023. 𝕏
Abuses GitHub as CDN and signed WinRing0 driver for stealth and speed. 𝕏
Evolving from single-trick to diversified ops — watch for cross-platform jumps. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#CNB Bot #ISO lures #REF1695 #cryptomining

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

Ransomware's Vicious Evolution: From Locks to Blackmail and Beyond

North Korea's Hackers Vaporize $285M from Drift in Seconds

0ktapus Phishing Snags 10,000 Credentials Across 130 Companies—Your MFA Is the Weak Link

Claude Code's 50-Command Cap: The Bypass That Unlocks Your Dev Machine

Stay in the loop