Malware Family and Delivery Mechanism

REF1695 is a financially motivated threat operation tracked by Elastic Security Labs. Active since at least November 2023, the campaign uses trojanized software installers as its primary delivery vector. Victims encounter fake installers masquerading as legitimate applications — a technique designed to lower suspicion during the initial compromise phase.

The installers drop multiple payloads in a single infection chain, including remote access trojans (RATs) and cryptocurrency mining software. Elastic Security Labs attributes the campaign to a financially motivated operator, not a nation-state actor, based on the monetization methods observed.

Capabilities

Persistence

REF1695 payloads establish persistence on compromised hosts through scheduled tasks and registry run keys — standard mechanisms that survive reboots without requiring elevated privileges in many configurations. The RAT component maintains a persistent backdoor channel, allowing the operator to re-task infected machines after initial cryptomining deployment.

Cryptomining

The operation deploys cryptocurrency mining software to abuse victim CPU and GPU resources. Mining processes are injected or disguised to avoid casual detection by end users. The miners generate passive revenue for the operator across large numbers of infected hosts simultaneously.

CPA Fraud via Content Lockers

Beyond cryptomining, REF1695 monetizes infections through Cost Per Action (CPA) fraud. The operator redirects victims to content locker pages — web interfaces that demand users complete surveys, submit personal information, or install additional software under the pretext of completing a software registration process. Each completed action generates affiliate revenue for the operator through CPA networks.

This dual-monetization model — passive mining combined with active CPA fraud — maximizes revenue per infection without requiring the operator to maintain ransomware infrastructure or handle cryptocurrency ransoms directly.

Remote Access Trojan Capabilities

The RAT components deployed in REF1695 infections provide the operator with standard backdoor functionality: remote command execution, file system access, screenshot capture, and the ability to download and execute additional payloads. This allows REF1695 to pivot from a cryptomining operation to credential theft or lateral movement depending on the perceived value of a compromised host.

Command and Control (C2)

Elastic observed C2 communications tied to the RAT components, enabling persistent operator access to infected machines. The C2 infrastructure supports dynamic retasking — operators can push new payloads or update mining configurations without reinfecting the host.

Affected Platforms

REF1695 targets Windows endpoints. The fake installer delivery mechanism specifically abuses Windows executable formats. No confirmed macOS or Linux variants have been attributed to this campaign by Elastic Security Labs at the time of publication.

The campaign targets general consumers and small business users who search for cracked or free versions of commercial software — a segment with lower endpoint detection coverage than enterprise environments.

Detection Signatures

Elastic Security Labs published detection guidance tied to REF1695. SOC analysts and detection engineers should prioritize the following:

Process Behavior

  • Monitor for installer processes spawning unexpected child processes, particularly cmd.exe, powershell.exe, or wscript.exe.
  • Flag scheduled task creation (schtasks.exe) initiated by recently dropped binaries.
  • Alert on registry modification to HKCU\Software\Microsoft\Windows\CurrentVersion\Run by unsigned executables.

Network Indicators

  • Block and alert on outbound connections to known CPA content locker domains associated with illegitimate affiliate networks.
  • Monitor for high-frequency outbound connections to mining pool endpoints (e.g., domains resolving to common XMR or ETH mining pool infrastructure).
  • Inspect DNS queries for domains associated with RAT C2 infrastructure flagged in Elastic's REF1695 research.

File System

  • Hash-based detections for the fake installer droppers identified by Elastic Security Labs should be loaded into EDR platforms (CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne).
  • Flag unsigned executables written to %APPDATA%, %TEMP%, or %PROGRAMDATA% by installer processes.

YARA / Sigma

  • Elastic has released EQL (Event Query Language) rules in their public detection-rules repository on GitHub. Teams running Elastic SIEM should pull and deploy these rules directly.
  • Convert published EQL logic to Sigma format for deployment across non-Elastic SIEM platforms.

Removal Guidance

  1. Isolate the host from the network immediately upon confirmed detection to prevent the RAT from receiving further instructions.
  2. Terminate and delete all miner processes and associated binaries identified by hash or file path.
  3. Remove persistence mechanisms: delete malicious scheduled tasks via schtasks /delete and clean associated registry run keys.
  4. Revoke and rotate credentials stored in browsers or credential managers on the affected host, as the RAT component may have exfiltrated saved passwords.
  5. Reimage hosts where RAT persistence cannot be fully verified — given the RAT's ability to download additional payloads, partial remediation carries significant re-infection risk.
  6. Block C2 and mining pool infrastructure at the perimeter firewall and DNS filtering layer using indicators published by Elastic Security Labs.
  7. Review CPA redirect traffic in proxy logs to identify additional hosts that may have been silently redirected to content locker pages without triggering endpoint alerts.