Since November 2023, there has been a financially-driven operation called REF1695. It uses fake installers to install cryptocurrency miners and remote access trojans. People have also found that the most recent versions of the campaign use an undocumented .NET implant called CNB Bot.

Elastic said that in addition to their command and control (C2) infrastructure, threat actors use GitHub as a content delivery network (CDN) to deliver payloads, hosting staged binaries on two known accounts. The campaign has made 27.88 XMR ($9,392) across four tracked wallets, which means the attacker is making money steadily. The threat actor makes money off of infections by committing CPA fraud and sending victims to content locker pages that look like software registration pages. Researchers Jia Yu Chan, Cyril François, and Remco Sprooten from Elastic Security Labs wrote this analysis.

You can read the whole report at http://www.elastic.com/security/threat-analysis/ref1695-threat-actor-monitors-cpa-fraud-credentials-false-signal-false.html. If you need help but don't want to talk to anyone, you can call the Samaritans at 08457 90 90 90, go to a local branch, or click here. If you need help in the U.S., call the National Suicide Prevention Lifeline at 1-800-273-8255.