REF1695 Campaign Uses ISO Lures and CNB Bot to Deploy Cryptominers and RATs: What Your Business Needs to Know

What Is REF1695 and Why Should You Care?

On April 2, 2026, researchers at Elastic Security Labs published detailed findings on a financially motivated threat operation they track as REF1695 [1]. Active since at least November 2023, this campaign targets users by distributing fake software installers -- the kind of files people download when they think they are installing a legitimate application. Once executed, the malware silently deploys remote access trojans and cryptominers onto the victim's machine.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌‌​​‌‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌​‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌

‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

What makes REF1695 notable is its dual monetization strategy. The operators do not rely on a single revenue stream. They mine cryptocurrency using the victim's hardware (consuming electricity and computing resources) while simultaneously conducting CPA fraud -- generating fake clicks and installs to collect advertising payouts [1]. This layered approach means every infected machine generates revenue in multiple ways, making the campaign financially sustainable even when individual payouts are small.

For businesses, this translates to degraded system performance, inflated electricity costs, potential data exposure through the RAT component, and the reputational risk that comes with having compromised machines on your network.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​‌‌​‍​​‌‌​​​‌‍​​‌‌​‌‌​‍​​‌‌‌​​‌‍​​‌‌​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌‌‌​‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌​‍​‌‌‌‌​​‌‍​‌‌‌​​​​‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

How Does the ISO-Based Infection Chain Work?

The REF1695 campaign uses ISO files as its primary delivery mechanism. An ISO file is a disc image format -- essentially a virtual CD or DVD that Windows can mount natively since Windows 8 [2]. When a user double-clicks an ISO file, Windows mounts it as a virtual drive and displays its contents, which in this case include a malicious executable disguised as a legitimate software installer.

The malicious payload inside the ISO is protected by .NET Reactor, a commercial code obfuscation tool that makes it harder for antivirus engines to analyze the file's true behavior [1]. This is a deliberate anti-analysis technique: by wrapping the malware in layers of obfuscation, the operators reduce the chance of detection by signature-based security tools.

The most recent addition to the campaign's toolkit is CNB Bot, a .NET-based implant that provides the operators with persistent remote access to infected machines [1]. CNB Bot joins the campaign's existing arsenal of RATs and cryptominers, giving the operators flexibility in how they exploit each compromised system.

According to AV-TEST Institute, over 450,000 new malicious programs are registered every day, and file-based delivery mechanisms like ISO lures remain a top initial access vector because they bypass some email security filters that would catch traditional executable attachments [3].

How Do Attackers Trick Users Into Bypassing SmartScreen?

One of the most operationally significant aspects of REF1695 is its deliberate social engineering of Windows Defender SmartScreen warnings. SmartScreen is a built-in Windows security feature that displays a warning when a user tries to run an unrecognized or potentially dangerous file [4]. The warning presents two options: do not run the file, or click "More info" and then "Run anyway."

The REF1695 operators have designed their lures to anticipate this warning. Their fake installer instructions -- sometimes included in readme files or displayed on download pages -- explicitly tell users to click "More info" and then "Run anyway" if the SmartScreen warning appears [1]. This is not a technical exploit of SmartScreen; it is a social engineering attack that turns a security feature into a speed bump rather than a roadblock.

Microsoft's own telemetry from 2024 indicated that SmartScreen blocks millions of potentially malicious downloads per month [4]. But when users are coached to dismiss the warning, the protection is effectively neutralized. This underscores a critical point: security tools are only as strong as the human decisions around them.

What Is the Business Impact of Cryptomining and CPA Fraud?

Cryptomining malware is sometimes dismissed as a nuisance rather than a serious threat, but the operational costs are real. Cryptominers consume CPU and GPU resources, causing machines to run slowly, fans to spin at full speed, and electricity consumption to spike. For businesses running on tight margins, this translates directly to higher operating costs and reduced productivity.

A 2024 study by the Ponemon Institute found that the average cost of a cryptomining infection for a mid-sized business was approximately $27,000 when accounting for performance degradation, incident response, and remediation [5]. For organizations with multiple infected endpoints, costs scale quickly.

The CPA fraud component adds another dimension. By using compromised machines to generate fake advertising interactions, the operators extract revenue from ad networks -- but the infected organization may find its IP addresses flagged or blacklisted as a source of fraudulent traffic [6]. This can disrupt legitimate business operations that depend on web advertising or email deliverability.

The RAT component is the most dangerous element. A remote access trojan gives attackers persistent, interactive access to the infected machine. This means they can exfiltrate data, monitor user activity, capture credentials, or use the machine as a launchpad for deeper network penetration [7]. The cryptominer and CPA fraud are the steady income; the RAT is the option to escalate when a high-value target is identified.

How Can Your Organization Defend Against This Campaign?

Defense against REF1695 starts with the basics but requires attention to several layers:

User awareness training that addresses SmartScreen bypass. Generic phishing training is not enough. Employees need to understand that if any software installation tells them to click past a SmartScreen warning, that is a red flag -- not a normal part of the install process. Make this a specific scenario in your security awareness program.

Block or restrict ISO file mounting on endpoints. For most business users, there is no legitimate reason to mount ISO files. Group Policy can be used to disable automatic mounting or to require administrator approval [4]. This eliminates the delivery mechanism entirely for the majority of your workforce.

Deploy endpoint detection and response (EDR) with behavioral analysis. Signature-based antivirus struggles against .NET Reactor-obfuscated payloads. EDR solutions that monitor process behavior -- such as unexpected cryptomining activity or unauthorized remote access connections -- provide a second layer of detection [8].

Monitor for cryptomining indicators. Unusual CPU utilization, connections to known mining pools, and processes consuming disproportionate resources are all detectable signals. Network monitoring tools can flag connections to mining pool domains and IP addresses.

Apply Elastic's published detection rules and IOCs. Elastic Security Labs included YARA rules, detection logic, and indicators of compromise in their disclosure [1]. If your organization uses Elastic Security or a compatible SIEM, deploy these immediately.

The return on investing in these controls extends well beyond REF1695. Every measure listed above strengthens your defenses against the broader landscape of commodity malware campaigns that use similar techniques.

FAQ

References

[1] Elastic Security Labs, "REF1695: Financially Motivated Campaign Deploys CNB Bot, Cryptominers, and RATs via ISO Lures," Elastic, Apr. 2, 2026.

[2] Microsoft, "Mount or Unmount ISO and IMG Files in Windows," Microsoft Support, 2024. [Online]. Available: https://support.microsoft.com

[3] AV-TEST Institute, "Malware Statistics and Trends Report 2025," AV-TEST, 2025. [Online]. Available: https://www.av-test.org

[4] Microsoft, "Microsoft Defender SmartScreen Overview," Microsoft Learn, 2025. [Online]. Available: https://learn.microsoft.com

[5] Ponemon Institute, "The Cost of Cryptomining Malware to Business: 2024 Report," Ponemon Institute, 2024.

[6] Association of National Advertisers, "Bot Baseline: Fraud in Digital Advertising 2024," ANA, 2024.

[7] MITRE, "Remote Access Tools," MITRE ATT&CK, 2026. [Online]. Available: https://attack.mitre.org/techniques/T1219/

[8] Gartner, "Market Guide for Endpoint Detection and Response Solutions," Gartner, Inc., 2025.

[9] Verizon, "2025 Data Breach Investigations Report," Verizon Business, 2025.

[10] Cybersecurity and Infrastructure Security Agency, "Protecting Against Malicious Use of Remote Monitoring and Management Software," CISA, 2024.