Back

Ongoing Malware Campaign Using Fake Installers to Distribute RATs and Miners

Severity: Medium (Score: 51.9)

Sources: Gbhackers, Cybersecuritynews

Summary

A financially motivated threat actor has been running a malware campaign since late 2023, utilizing fake software installers to deliver remote access trojans (RATs) and Monero cryptocurrency miners. This operation, known as REF1695, has been active for over two years and has expanded its toolset while remaining largely undetected. The attackers employ ISO-based fake installers that mimic legitimate software setup packages, tricking users into downloading them. Once executed, these installers do not deliver the promised applications but instead install malicious software. The campaign has affected a wide range of users, particularly those seeking software downloads online. The current status indicates that the operation is still ongoing, with no signs of mitigation reported. Security professionals are advised to be vigilant against these types of threats and educate users on the risks of downloading software from unverified sources. Key Points: • The REF1695 malware campaign has been active since late 2023. • Fake software installers are used to deliver RATs and Monero miners. • The operation continues to expand its toolset while remaining largely undetected.

Key Entities

  • Malware (attack_type)
  • Trojan (attack_type)
  • Ref1695 (campaign)
  • T1036 - Masquerading (mitre_attack)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed