Fake Installers to Monero: A Multi-Tool Mining Operation

Elastic Security Labs documents a financially motivated, multi-stage malware campaign (REF1695) active since late 2023 that delivers RATs and cryptominers via Themida/.NET Reactor‑packed fake installers. The report analyzes multiple campaigns (CNB Bot, PureRAT, PureMiner, SilentCryptoMiner), C2 protocols and configs, persistence and evasion techniques (Defender exclusions, process injection, kernel driver WinRing0x64.sys, direct syscalls), GitHub-hosted payload delivery, and extracted IoCs including sample hashes, domains, and four Monero wallets with ~27.88 XMR paid out.