A financially motivated operation codenamed
REF1695 has been observed leveraging fake installers to
deploy remote access trojans (RATs) and cryptocurrency miners since
November 2023. "Beyond cryptomining, the threat actor
monetizes infections through CPA (Cost Per Action) fraud, directing
victims to content locker pages under the guise of software
registration," Elastic
Read more https://thehackernews.com/2026/04/researchers-uncover-mining-operation.html
