Lummac Stealer on OnlyFans

Cybersecurity experts uncover the Lummac Stealer malware, disguised as an OnlyFans “Checker” tool, targeting hackers. The tool also targets Disney+ and Instagram hackers.

Cybersecurity experts at Veriti’s cyber research team have discovered a Lummac Stealer, also known as LummaC2 Stealer operation that cleverly flips the script on would-be OnlyFans hackers, turning them from hunters into the hunted.[1]

The operation centers around a user, going by the name “Bilalkhanicom“ on a notorious hacking forum, who offered a “Checker” tool claiming that it would allow users to supposedly “check” OnlyFans accounts for valuable information. However, this “checker” turned out to be malware, specifically a strain known as Lummac stealer. As a result, instead of gaining access to Only Fan account information or illicit content, those who downloaded the tool were infected with Lummac Stealer. The malware can steal passwords and financial information to browsing history and cryptocurrency wallets.

Bilalkhanicom posted the malicious installer on a hacker forum (Screenshot: Veriti)

In January 2024, Lumma was discovered to be spreading through cracked software distributed via compromised YouTube channels. Earlier, in November 2023, researchers identified a new version of LummaC2, called LummaC2 v4.0, which was stealing user data using trigonometric techniques to detect human users.

According to Veriti’s research shared with Hackread.com ahead of publication on Wednesday, Bilalkhanicom is also using similar tactics to target those interested in hacking other platforms, including Disney+, Instagram, and even botnet networks.

The malicious installers are uniquely named to align with the interests of hackers based on the services they aim to exploit. For example, to target Disney+ users, Bilalkhanicom offers a checker tool called “DisneyChecker.exe.” Similarly, for Instagram, the tool is named “InstaCheck.exe,” and for botnet enthusiasts, it is labelled “ccMirai.exe,” referencing the notorious Mirai malware botnet, infamous for orchestrating large-scale, crippling DDoS attacks worldwide.

As for Bilalkhanicom, their origin currently remains unknown however researchers have identified folder names within the malware’s architecture that hint at influences from across the globe, from East Asia, Africa to Latin America, and even Celtic mythology. “Our researchers uncovered a potential geopolitical link hidden in the malware’s architecture. The folder names used in the malware’s file structure paint a picture of global influences: “Hiyang” and “Reyung” whisper of East Asian connections “Zuka” echoes African influences “Lir” invokes Celtic mythology “Popisaya” hints at Indigenous Latin American roots.”

This is not the first time OnlyFans has been used as bait. In June 2023, a malicious campaign targeting smartphone users employed fake OnlyFans content to distribute DcRAT malware. The attackers lured victims by exploiting their interest in adult-oriented material, specifically targeting those who engaged with explicit OnlyFans content.

Pornographic sites are often platforms for spreading malware.[2] OnlyFans is not different. OnlyFans is an internet content subscription service based in London, England. The service is used primarily by sex workers who produce pornography, but it also hosts the work of other content creators, such as physical fitness experts and musicians. Content on the platform is user-generated and monetized via monthly subscriptions, tips, and pay-per-view. Creators are paid 80% of these fees.

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings: