Fake ISO Installers Spread RATs and Crypto Miners

Robert Moore · 2026-04-02

Here's a sobering reality check for anyone downloading software online. A financially motivated hacking group, tracked as REF1695, has been running a nasty operation since late 2023. Their weapon of choice? Fake software installers, often disguised as legitimate ISO files, that do a whole lot more than just install a program. They're using these lures to deploy two primary threats directly onto victims' computers. First, they drop remote access trojans (RATs). Think of a RAT as giving a thief the keys to your digital house. It lets the attacker see your screen, steal your files, and control your computer from miles away. ### The Dual Threat: RATs and Resource Theft The second payload is a cryptocurrency miner. This is a sneaky piece of software that hijacks your computer's processing power. It silently uses your CPU and GPU to mine for digital coins like Monero, sending all the profits straight to the attackers. Your machine slows to a crawl, your electricity bill creeps up, and your hardware wears out faster—all for someone else's gain. It's a classic double-dip for the criminals. They get immediate access to your data and system, plus a steady, passive income stream from your hijacked resources. And the worst part? You might not even notice it's happening for a long time. ### Beyond Mining: The CPA Fraud Scheme But wait, there's more. According to security researchers, cryptomining isn't their only revenue stream. This group has another clever, and frustrating, way to make money from an infection. They engage in something called CPA fraud. CPA stands for Cost Per Action. Here's how it works in this context: - After infecting a system, the malware redirects the victim to fake "software registration" or "content locker" pages. - These pages demand users complete an action, like filling out a survey or signing up for a service, to "unlock" the software they wanted. - Each completed action generates a small payout for the threat actor from affiliate networks. So, they're not just stealing your computer's power; they're turning you into an unwitting pawn in their advertising fraud scheme. It's a layered attack designed to squeeze every possible cent out of a single victim. ### How to Protect Yourself This operation highlights why you need to be incredibly careful about where you download software. That "cracked" version or that too-good-to-be-true free tool can come with a massive hidden cost. Here are a few simple rules to live by: - **Only download from official sources.** Go directly to the software developer's website. Don't trust third-party download portals. - **Scrutinize file types.** Be very wary of executable files (.exe) or disk images (.iso) from unfamiliar sources. - **Use a reputable security suite.** A good antivirus can often catch these fake installers before they do damage. - **Keep everything updated.** Ensure your operating system and all software are patched with the latest security updates. - **Monitor your system.** If your computer is suddenly running hot, the fans are constantly whirring, or performance has tanked for no reason, investigate. The REF1695 campaign is a reminder that cyber threats are constantly evolving. Attackers are always looking for new ways to blend in, using lures we might trust. Staying informed and practicing basic digital hygiene is your best defense. Don't let a moment of convenience lead to months of compromise.