We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Hackers Drop Info-Stealing Malware Using Fake OnlyFans Pics

Hackers Drop Info-Stealing Malware Using Fake OnlyFans Pics
Zane Kennedy Published on 21st June 2023 Cybersecurity Researcher

Hackers have launched a malware campaign targeting the popular adult content subscription service, OnlyFans using fake OnlyFans content and adult lures to steal data and deploy ransomware on infected devices.

The malware campaign was discovered by eSentire, which stated in its findings that “In May 2023, we identified DcRAT, a clone of AsyncRAT, at a consumer services customer. DcRAT is a remote access tool with info-stealing and ransomware capabilities. The malware is actively distributed using explicit lures for OnlyFans pages and other adult content.”

Since January 2023, hackers have been distributing ZIP files containing a VBScript loader, cleverly disguised as premium OnlyFans collections. Enticed by the promise of accessing exclusive content for free, victims manually execute the loader, installing the DcRat malware onto their systems.

OnlyFans, renowned for its private adult content offered by models, celebrities, and influencers, has attracted a massive user base seeking exclusive pics. This widespread popularity has made it a prime target for individuals wanting to access such content without paying, ultimately falling victim to hackers' nefarious activities.

The precise method of infection remains unclear. Malicious forum posts, instant messages, malvertising, or even search engine optimization techniques employed by fraudulent websites could be responsible for delivering the infected ZIP files. One sample shared by Eclypsium was disguised as explicit photos of former adult film actress Mia Khalifa.

The VBScript loader, a modified and obfuscated version of a script observed in a previous campaign discovered by Splunk in 2021, cleverly evades detection. Once launched, it meticulously checks the device's operating system architecture using Windows Management Instrumentation (WMI) and proceeds to spawn a 32-bit process if necessary. Through a series of steps, the DcRAT payload is injected into the legitimate "RegAsm.exe" process, bypassing traditional antivirus tools.

DcRAT poses a significant threat to infected systems, offering keylogging, webcam monitoring, remote access, file manipulation, and even the ability to steal browser credentials, cookies, and Discord tokens. Furthermore, the malware incorporates a ransomware plugin that encrypts non-system files, appending the ".DcRAT" extension to hold victims' data hostage.

Cybersecurity experts have emphasized the importance of caution when downloading files or executables from dubious sources, particularly those claiming to offer free access to premium content. Users are urged to be vigilant and protect their devices that store personal information.

OnlyFans, cybersecurity organizations, and law enforcement agencies are actively addressing these security concerns, implementing measures to enhance user security and thwart future attacks.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.