Researchers Uncover Financially Motivated Cyber Operation REF1695

Researchers identified a financially motivated cyber operation codenamed REF1695 that has been active since November 2023, distributing fake software installers to deploy remote access trojans (RATs) and cryptocurrency miners. The threat actor monetizes infections through CPA (Cost Per Action) fraud, redirecting victims to content locker pages disguised as software registration. The campaign primarily targets users via malicious ISO files, though no specific geographic regions or victim counts were disclosed. No CVE IDs or additional technical indicators were mentioned in the report.