A sophisticated cyber campaign used images and geofencing of OnlyFans models to target specific victims in Australia, Poland and Belgium, and used custom PowerShell scripts to steal data. Researchers say the campaign dubbed “Steal-It” is likely the work of APT28, also known as Fancy Bear, according to a recent report by Zscaler ThreatLabz.
According to the report, the Steal-It cyberattack exploits CaptureServer scripts and abuses the Mockbin API endpoint generation tool to steal data, including NTLM hashes and command output. “These operations leveraged custom PowerShell scripts designed to steal critical NTLM hashes before transmitting them to the Mockbin platform,” the researchers said.
“In the initial phase of the campaign, a hidden ZIP archive was deployed. LNK files while ensuring persistence in the system through strategic use of StartUp folders.” The Fancy Bear threat group, notorious for interfering in the 2016 U.S. election, similarly used images of women as bait to conduct a cyberattack on a Ukrainian energy facility earlier this month.