A recent report from The Hacker News highlights a growing and highly effective cyberattack method that business leaders cannot afford to ignore. Researchers uncovered a financially motivated campaign, tracked as REF1695, that uses seemingly harmless ISO files to deliver remote access trojans (RATs) and cryptocurrency miners into corporate environments.
At first glance, these attacks may look like typical malware campaigns. In reality, they represent a shift toward stealth, persistence, and profit-driven exploitation that bypasses many traditional defenses.
The attack chain begins with social engineering. Victims are tricked into downloading ISO files disguised as legitimate installers or software packages. Once mounted and executed, these files deploy multiple malicious payloads.
According to the report, the campaign has distributed tools such as PureRAT, PureMiner, and a custom .NET-based loader that ultimately installs a modified XMRig crypto miner.
What makes this campaign particularly dangerous is its layered approach:
This is not a smash-and-grab attack. It is designed to remain hidden, maintain access, and continuously generate revenue.
Cryptomining malware, often referred to as cryptojacking, is not just an IT nuisance. It directly impacts business operations and profitability.
Once inside a network, these miners consume CPU and GPU resources, leading to:
Even more concerning, these infections often go undetected for long periods because they do not immediately disrupt operations. Their goal is to stay invisible while generating income for attackers.
In this campaign alone, researchers estimate the attackers earned over 27 XMR across multiple wallets, demonstrating that even small-scale infections can produce consistent returns.
Now imagine that scaled across dozens or hundreds of endpoints in a business environment.
Most organizations still rely on a Detect and Respond model. This approach assumes that threats can be identified quickly and remediated before damage occurs.
But campaigns like REF1695 expose a critical flaw in that thinking.
These attacks are:
By the time detection tools identify suspicious behavior, the malware has already established persistence and may have been operating for weeks or months.
Detection is simply too late.
To stop these types of attacks, businesses must rethink their security strategy.
Instead of trying to detect malicious activity after execution, organizations need to prevent untrusted activity from causing harm in the first place.
This is where Isolation and Containment becomes essential.
Isolation ensures that:
Containment ensures that:
This approach directly addresses the weaknesses exposed by ISO-based malware campaigns.
AppGuard is built on the principle of Isolation and Containment, not detection.
With a proven 10-year track record, AppGuard prevents attacks like REF1695 by:
Even if a user unknowingly opens a malicious ISO file, the attack is contained and rendered ineffective.
That is the key difference. The attack may enter the environment, but it cannot succeed.
The REF1695 campaign is a clear signal that cybercriminals are evolving. They are no longer relying on noisy ransomware attacks alone. Instead, they are deploying quiet, persistent, profit-driven malware that thrives in environments dependent on detection.
ISO lures, RATs, and crypto miners are just one example of this broader trend.
Businesses that continue to rely solely on Detect and Respond strategies are leaving themselves exposed to threats that are specifically designed to evade them.
If you are a business owner or IT leader, now is the time to evaluate whether your current security approach can stop threats like this before they cause damage.
Talk with us at CHIPS about how AppGuard can protect your organization by shifting from Detect and Respond to Isolation and Containment.
Because in today’s threat landscape, prevention is no longer optional. It is essential.
Like this article? Please share it with others!