CRPx0 Malware Campaign Uses Fake OnlyFans Lure to Deliver Cross-Platform Malware with Crypto Theft and Ransomware
A new malware campaign dubbed CRPx0 is using a fake OnlyFans account lure to infect Windows and macOS systems with a multi-stage payload that performs cryptocurrency theft, data exfiltration, and ransomware encryption.
A sophisticated new malware campaign named CRPx0 is actively targeting Windows and macOS users, with Linux capabilities reportedly in development, using a social engineering lure promising free OnlyFans accounts. The campaign, analyzed in detail by Aryaka Threat Research Labs, combines cryptocurrency theft, large-scale data exfiltration, and ransomware encryption into a single, modular attack chain.
The initial infection vector is a ZIP file titled "OnlyfansAccounts.zip" which contains a malicious LNK shortcut. When executed, the shortcut drops a file that appears to list legitimate account credentials but silently installs the malware in the background. The attackers maintain persistent control via a command-and-control (C2) server, collecting environment data and establishing persistence. The malware even periodically checks for newer versions of itself and updates automatically.
Once installed, CRPx0 continuously monitors the system clipboard for cryptocurrency wallet addresses. If a victim copies a wallet address to send or receive funds, the malware swaps it with an address controlled by the attackers, diverting the transaction. This clipboard hijacking is the first stage of the campaign's financial theft mechanism.
The second phase involves data exfiltration, where the attackers select specific file types — including documents, media, emails, developer and code files, and engineering and design files — to steal via the C2. This stolen data is then used as leverage for double extortion. After exfiltration, the malware receives an "encryption" command and downloads a Python-based crypter payload from a remote server. It uses the Fernet mechanism for AES encryption, generating a unique key sent to the C2, and encrypts targeted files with the '.crpx0' extension. System-critical directories are excluded to maintain stability.
The ransomware changes the desktop wallpaper to the attackers' "gotcha" image and drops ransom notes in English, Russian, and Chinese. Victims are instructed to contact the attackers via email, qTox, or Telegram. The campaign maintains its own leak site, which at the time of analysis claimed 38 victims, with 23 leaks were publicly available, and the remaining 15 victims had either paid or were still within the deadline. The stolen data is offered for a one-time fee of $500 in cryptocurrency, with "lifetime access to all current and future leaks."
Aryaka's analysis describes CRPx0 as a "highly organized, multi-platform threat" with modular and adaptable capabilities that allow attackers to escalate from opportunistic theft to large-scale double extortion. The campaign does not appear to be targeted — any user searching for a free OnlyFans account could become a victim. The report includes a list of indicators of compromise (IoCs) and a mapping to the MITRE ATT&CK framework.
This campaign highlights the growing trend of attackers using popular brand names and social engineering to bypass traditional security controls, combining multiple monetization strategies — crypto theft, data extortion, and ransomware — into a single, cross-platform operation.