Skip to main content

Adult-oriented subscription service OnlyFans has been hit with a new malware campaign that sees fake content being used to infect users’ devices with a Remote Access Trojan (RAT).

Security firm eSentire discovered the operation, which has been ongoing since the start of this year. ZIP files are distributed that contain a VBScript loader that users unwittingly activate when they think they are getting access to premium OnlyFans content.

It is not known exactly what the initial attack vector is that lures victims, but there are suggestions that it could be forum posts, instant messages, malvertising links or Black SEO sites that rank near the top of search results for certain terms.


The OnlyFans brand has been used before by threat actors, including in January 2023, where hackers abused an open redirect link on an official UK government website to direct users to a fake version of the site.

In this new campaign, the payload has been dubbed DcRAT, which is a modified version of the freely available AsyncRAT on GitHub, although the author has since abandoned after it was being abused.

When the VBScript loader is activated, it extracts and registers ‘dynwrapx.dll’, which grants access to the DynamicWrapperX, which in turn enables calling functions from the Windows API and other DLLs.

Something called ‘BinaryData’ is then loaded into ‘RegAsm.exe’, a legitimate process part of the .NET Framework, meaning it is less likely to be flagged by antivirus software. This is what delivers the DcRAT.

DcRAT can then perform various malicious actions, including keylogging, monitoring webcams, manipulating files, stealing credentials and browser cookies, and remotely accessing your device.

It also contains a ransomware plugin that affects all non-system files and encrypts them with the .DcRAT file extension, making them inaccessible to the user without the decryption key, which the threat actors will hold you to ransom for.