Fake OnlyFans content is luring users into installing malware

A dangerous RAT could infect victims and cause all sorts of problems

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Adult-oriented subscription service OnlyFans has been hit with a newmalwarecampaign that sees fake content being used to infect users' devices with a Remote Access Trojan (RAT).

Security firmeSentirediscovered the operation, which has been ongoing since the start of this year. ZIP files are distributed that contain a VBScript loader that users unwittingly activate when they think they are getting access to premium OnlyFans content.

It is not known exactly what the initial attack vector is that lures victims, but there are suggestions that it could be forum posts, instant messages, malvertising links or BlackSEOsites that rank near the top of search results for certain terms.

DcRAT

The OnlyFans brand has been used before by threat actors, including in January 2023, where hackers abused an open redirect link on an official UK government website to direct users to a fake version of the site.

In this new campaign, the payload has been dubbed DcRAT, which is a modified version of the freely available AsyncRAT on GitHub, although the author has since abandoned after it was being abused.

Beware - another dangerous Android malware has had millions of downloads from the Google Play Store>This new Android trojan is targeting all your mobile bank accounts>PlugRAT Trojan disguises itself as Microsoft debugger to slip past your antivirus

When the VBScript loader is activated, it extracts and registers ‘dynwrapx.dll’, which grants access to the DynamicWrapperX, which in turn enables calling functions from the Windows API and other DLLs.

Something called ‘BinaryData’ is then loaded into ‘RegAsm.exe’, a legitimate process part of the .NET Framework, meaning it is less likely to be flagged byantivirus software. This is what delivers the DcRAT.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

DcRAT can then perform various malicious actions, including keylogging, monitoring webcams, manipulating files, stealing credentials and browser cookies, and remotely accessing your device.

It also contains aransomwareplugin that affects all non-system files and encrypts them with the .DcRAT file extension, making them inaccessible to the user without the decryption key, which the threat actors will hold you to ransom for.

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Google puts Nvidia on high alert as it showcases Trillium, its rival AI chip, while promising to bring H200 Tensor Core GPUs within days

A new form of macOS malware is being used by devious North Korean hackers

England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere