SECURITYWEEK reports that CRPx0 is a cross‑platform, multi‑stage malware campaign that currently targets Windows and macOS, with Linux capabilities reportedly in development, and was analysed by Aryaka Threat Research Labs. The campaign begins with a lure offering a free OnlyFans account, prompting users to download a ZIP named OnlyfansAccounts[.]zip containing a deceptive Onlyfans Accounts[.]lnk that leads to the infection chain.
Once active, the malware collects environment data, maintains persistence, and calls home to its C2 while updating itself, with the operation claiming 38 victims compromised so far and 23 leaks available on its site, and alleging the theft of 10,839 terabytes of data.
Its effects include cryptocurrency theft via clipboard monitoring, data exfiltration for double extortion, and ransomware encryption that uses a Python payload (crypter[.]py) and a Fernet key sent to the C2 to encrypt files with the .crpx0 extension, alongside ransom notes in English, Russian and Chinese. Victims are instructed to contact attackers through multiple channels, and the campaign emphasises a “Lifetime access to all current and future leaks” for a one‑time $500 cryptocurrency payment.
According to Aryaka Threat Research Labs, the operation is modular and adaptable, targeting personal devices and potentially enterprise devices on the office network.