Attackers Use Fake OnlyFans Photos to Spread Remote Access Trojan (RAT) DCRAT which allows you to steal personal and credential data or deploy ransomware on an infected device.

OnlyFans is a content subscription service where paid subscribers can access photos, videos, and posts of adult models, celebrities, and bloggers.

A malicious campaign that has been running since January 2023, discovered by eSentire specialists . During the campaign, cybercriminals distribute ZIP files containing VBScript– A downloader that the victim launches manually, thinking that it is a premium collection of OnlyFans.

The chain of infection is unknown, but luring victims can occur through forum posts, direct messages to victims, through malicious ads, or even websites. Black SEO (black hat optimization) ranking high in certain search queries. One of the malware samples contains nude photos of former adult film actress Mia Khalifa.

When the VBScript loader is run, the DcRAT payload is loaded into memory and injected into the “RegAsm.exe” process, a legitimate part of the .NET Framework that is less likely to be flagged by antivirus tools.

DcRAT (DarkCrystal RAT) – modified version AsyncRATwhich is freely available on GitHub and which its author abandoned after several cases of abuse of the tool appeared on the network.

DcRAT is capable of doing the following:

• keylogging;
• recording video from a webcam;
• file manipulation;
• remote access;
• stealing credentials and cookies from web browsers;
• capture tokens Discord.

In addition, DcRAT contains a ransomware plugin that targets all non-system files and adds the “.DcRat” filename extension to encrypted files.

It is important to be careful when downloading archives or executables from dubious sources, especially those that offer free access to premium/paid content.