Free OnlyFans Lure Used to Spread Cross-Platform CRPx0 Malware

The CRPx0 campaign illustrates a growing trend where threat actors weaponize popular cultural platforms to distribute malware. By offering a "free OnlyFans" zip, attackers exploit users’ willingness to bypass paywalls, delivering a shortcut that silently launches a multi‑stage payload. This approach sidesteps traditional email phishing and taps into a niche audience, yet the underlying infrastructure is sophisticated enough to support Windows, macOS, and future Linux targets, making it a truly cross‑platform threat.

Technically, CRPx0 is a modular framework that combines cryptocurrency theft, data exfiltration, and ransomware. It monitors the clipboard for wallet addresses, replacing them with attacker‑controlled destinations, a technique that has surged in 2025‑26 as crypto transactions increase. Simultaneously, the malware harvests documents, source code, and design files, posting them on a leaks site for a $500 cryptocurrency fee. When the operators issue an encryption command, a Python‑based crypter encrypts files with a Fernet AES key, appending a .crpx0 suffix while preserving system functionality to avoid immediate detection.

For enterprises, the campaign underscores the importance of strict download policies and endpoint monitoring, especially on devices used for personal browsing. The multilingual ransom notes and reliance on personal accounts suggest attackers are targeting individuals who may later expose corporate data through shadow IT. Organizations should enforce application whitelisting, educate users about the risks of downloading pirated content, and deploy behavioral analytics to detect clipboard hijacking or anomalous file encryption. Proactive threat hunting for the IoCs shared by Aryaka can further reduce the risk of a CRPx0 infection spreading within a corporate network.