The Crypto-Con: Unmasking the Multi-Layered “REF1695” Mining Operation

Cybersecurity researchers have shed light on a sophisticated, financially motivated threat actor that has been quietly building a digital mining empire. A new report from Elastic Security Labs detail an operation, designated REF1695, that has been active since at least late 2023, using a deceptive mix of remote access trojans (RATs) and custom cryptominers to line its pockets.

The campaign relies on a tried-and-true method of social engineering: fake software installers. Victims are lured into downloading what they believe to be legitimate software packages, only to unknowingly trigger a multi-stage infection chain.

Once inside, the operator doesn’t just stop at mining. The report reveals a secondary, more insidious monetization strategy:

“Beyond cryptomining, the threat actor monetizes infections through CPA (Cost Per Action) fraud, directing victims to content locker pages under the guise of software registration”.

At the heart of REF1695 is a previously undocumented .NET implant dubbed CNB Bot. This malware is built for stealth and control, featuring RSA-2048 signed task authentication to ensure it only follows commands from the legitimate operator.

To maximize profit while staying under the radar, the threat actor utilizes a custom XMRig loader. This component is specifically engineered to evade security researchers. As the analysis explains:

“A custom XMRig loader evades detection by killing the miner whenever analysis tools are running and deploys WinRing0x64.sys”.

The primary goal of the operation is the illicit mining of Monero (XMR), a privacy-focused cryptocurrency that is notoriously difficult to trace. However, by analyzing public mining pool dashboards, researchers were able to get a glimpse into the operator’s success.

The financial impact is far from negligible. At the time of the report, evidence showed that over 27.88 XMR had already been paid out to the operator’s wallets.

The sophistication of REF1695 is evident in its heavy use of professional-grade packing tools. The researchers noted that across different versions of the campaign, the infection chains shared a consistent, layered defense:

“Stages use a consistent Themida/WinLicense + .NET Reactor packing combination”.

These tools compress and encrypt the malware, making it nearly impossible for traditional antivirus software to “see” the malicious code before it executes in the system’s memory.

Operation REF1695 serves as a stark reminder that cryptomining isn’t just a “nuisance” threat—it is a highly organized business. By combining mining with CPA fraud and advanced evasion techniques, the operators have created a resilient and profitable ecosystem.