Hackers are targeting other hackers with a fake OnlyFans tool that claims to help steal accounts but instead infects threat actors with the Lumma stealer information-stealing malware.

The operation, discovered by Veriti Research, constitutes a characteristic example of the blurred lines between being a predator or prey in the world of cybercrime, where ironic twists and backstabs are abundant.

“Checking” into a Lumma infection

OnlyFans is an extremely popular subscription-based adult content platform where creators can earn money from users (referred to as “fans”) who pay for access to their content.

Creators can share videos, images, messages, and live streams with their subscribers, while subscribers pay a recurring fee or one-time payments for exclusive content.

Given its popularity, OnlyFans accounts often become targets of threat actors who attempt to hijack them to steal fan payments, extort the account owner to pay a ransom, or simply leak private photos.

Checker tools are designed to help validate large sets of stolen login credentials (usernames and passwords), checking if the login details match any OnlyFans accounts and whether they’re still valid.

Without those tools, cybercriminals would have to manually test out thousands of credential pairs, an impractical and tedious process that would render the scheme nonviable.

However, these tools are commonly created by other cybercriminals, causing hackers to trust that they are safe to use, and in some cases, this backfires.

Veriti discovered a case of an OnlyFans checker promising to verify credentials, check account balances, verify payment methods, and determine creator privileges but instead installed the Lumma information-stealing malware.

The payload, named “brtjgjsefd.exe,” is fetched from a GitHub repository and loaded into the victim’s computer.

Lumma is an information-stealing malware-as-a-service (MaaS) that has been rented to cybercriminals since 2022 for $250-$1000/month and distributed via various means, including malvertising, YouTube comments, torrents, and, more recently, GitHub comments.

It is an advanced information stealer with innovative evasion mechanisms and the ability to restore expired Google session tokens. It is mostly known for stealing two-factor authentication codes, cryptocurrency wallets, and passwords, cookies, and credit cards stored on a victim’s browser and file system.

Lumma also doubles as a loader itself, capable of introducing additional payloads onto the compromised system and executing PowerShell scripts.

A broader deception operation

Veriti found that when the Lumma Stealer payload is launched, it will connect to a GitHub account under the name “UserBesty,” which the cybercriminal behind this campaign uses to host other malicious payloads.

Specifically, the GitHub repository contains executables that resemble checkers for Disney+ accounts, Instagram, and a supposed Mirai botnet builder:

• Disney+ account thieves are targeted with “DisneyChecker.exe”
• Instagram hackers are lured by “InstaCheck.exe”
• Wannabe botnet creators are lured with “ccMirai.exe”

Digging deeper into the malware’s communications, Veriti’s researchers found a set of “.shop” domains that acted as command and control (C2) servers, sending commands to Lumma and receiving the exfiltrated data.

This campaign is not the first time threat actors have targeted other cybercriminals in malicious attacks.

In March 2022, hackers targeted hackers with clipboard stealers disguised as cracked RATs and malware-building tools to steal cryptocurrency.

Later that year, a malware developer backdoored their own malware to steal credentials, cryptocurrency wallets, and VPN account data from other hackers.