C_heaven22 leaked onlyf, videos and photos heaven22 on twitter and reddit

The malware campaign used OnlyF fake content and adult attractants to install a remote access Trojan called “DcRAT,” which allows threat actors to steal data and credentials or deploy ransomware on infected devices.

OnlyFans is a content subscription service that gives paid subscribers access to private photos, videos and posts of adult models, celebrities and social media personalities.

Since it is a well-known website, it can attract people who want to access paid content for free.

This isn’t the first time threat actors have exploited OnlyF to achieve their malicious goals, as in January 2023, attackers abused open redirects on a UK national website to redirect visitors to a fake OnlyF site.

The new campaign uncovered by eSentire has been running since January 2023, distributing ZIP files containing a VBScript loader that tricks victims into manually executing it, assuming they want access to the premium Fannys collection.

The infection chain is unknown, but could be malicious forum posts, instant messages, malvertising, or even black SEO pages ranking high for certain search terms. One example shared by Eclypsium pretends to be a nude photo of former adult film actress Mia Khalifa.

The VBScript loader is a minimally modified and obfuscated version of the script observed in the 2021 campaign discovered by Splunk, which is a slightly modified Windows print script.

At startup, it checks the OS architecture using WMI and launches the 32-bit processes required for the following steps, extracts the embedded DLL file (“dynwrapx.dll”), and registers the DLL using the Regsvr32.exe command.

This gives the malware access to DynamicWrapperX, a tool that allows calling functions through Windows API or other DLL files.

Eventually, a payload named “BinaryData” was loaded into memory and injected into the RegAsm.exe process, which is a legitimate part of the .NET Framework and is unlikely to be flagged by AV tools.

Scroll to Top