A modified version of DcRAT (a clone of AsyncRAT).
Victims download a file named something like OnlyFans.zip or [CreatorName]_Photos.zip .
Beyond the "OnlyFans.zip" malware, the ecosystem is plagued by several other risks: OnlyFans.zip
Some versions include a ransomware plugin that encrypts non-system files and demands payment in Bitcoin. 🔍 How the Infection Works
Tools sold to hackers to steal OnlyFans credentials have themselves been found to contain infostealers like Lumma , infecting the would-be hackers. A modified version of DcRAT (a clone of AsyncRAT)
Fraudulent agents target creators, charging fees for growth services that never materialize. 🛠️ Protection and Removal
Inside is a VBScript loader . When a user manually executes it, the script injects the DcRAT payload into a legitimate Windows process (e.g., RegAsm.exe ) to bypass antivirus detection. 🔍 How the Infection Works Tools sold to
If you suspect an infection, security experts from PCrisk and 2-Spyware recommend: