Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Lewis Maddison

Fake OnlyFans content is luring users into installing malware

Onlyfans logo and phone login screen

Adult-oriented subscription service OnlyFans has been hit with a new malware campaign that sees fake content being used to infect users' devices with a Remote Access Trojan (RAT). 

Security firm eSentire discovered the operation, which has been ongoing since the start of this year. ZIP files are distributed that contain a VBScript loader that users unwittingly activate when they think they are getting access to premium OnlyFans content.

It is not known exactly what the initial attack vector is that lures victims, but there are suggestions that it could be forum posts, instant messages, malvertising links or Black SEO sites that rank near the top of search results for certain terms. 

DcRAT

The OnlyFans brand has been used before by threat actors, including in January 2023, where hackers abused an open redirect link on an official UK government website to direct users to a fake version of the site.

In this new campaign, the payload has been dubbed DcRAT, which is a modified version of the freely available AsyncRAT on GitHub, although the author has since abandoned after it was being abused.

When the VBScript loader is activated, it extracts and registers 'dynwrapx.dll', which grants access to the DynamicWrapperX, which in turn enables calling functions from the Windows API and other DLLs.

Something called 'BinaryData' is then loaded into 'RegAsm.exe', a legitimate process part of the .NET Framework, meaning it is less likely to be flagged by antivirus software. This is what delivers the DcRAT.

DcRAT can then perform various malicious actions, including keylogging, monitoring webcams, manipulating files, stealing credentials and browser cookies, and remotely accessing your device.

It also contains a ransomware plugin that affects all non-system files and encrypts them with the .DcRAT file extension, making them inaccessible to the user without the decryption key, which the threat actors will hold you to ransom for.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.