The CRPx0 malware campaign is a multi-platform threat targeting MacOS and Windows systems via social engineering lures, such as malicious zip files promising free OnlyFans access. The malware steals cryptocurrency by altering clipboard wallet addresses, exfiltrates data for double extortion, and deploys ransomware that encrypts files with a .crpx0 extension. This organized operation demonstrates a clear progression from initial compromise to data theft and ransom demands.
Malware New CRPx0 malware campaign uses OnlyFans lure for crypto theft and ransomware May 13, 2026 Share By SC Staff (Adobe Stock) A complex and stealthy malware campaign dubbed CRPx0 is targeting MacOS and Windows systems, with potential Linux capabilities in development. The campaign begins with a social engineering lure offering free access to OnlyFans, aiming to trick users into downloading malicious files. This sophisticated operation involves cryptocurrency theft, large-scale data exfiltration, and ransomware deployment, based on information published by Security Week. The CRPx0 campaign, analyzed by Aryaka Threat Research Labs, uses a malicious zip file containing a shortcut that appears to lead to free OnlyFans accounts. Instead, it installs malware that steals cryptocurrency by monitoring and altering clipboard entries for wallet addresses. The attackers then exfiltrate selected data, including documents, media, emails, and code files, as part of a double extortion strategy. Following data theft, the malware encrypts targeted files with the .crpx0 extension, displays a "gotcha" image as the desktop wallpaper, and drops ransom notes in multiple languages. Victims are instructed to contact the attackers via various channels, including email, qTox, and Telegram. The campaign also operates a leaks site, claiming to have compromised 38 victims and leaked over 10,839 terabytes of data. Stolen data is offered for sale for $500 in cryptocurrency, granting lifetime access to current and future leaks. The campaign is described as a highly organized, multi-platform threat adaptable to escalating from opportunistic theft to large-scale data exfiltration and double extortion. Source: Security Week SC Staff Related Malware Operation SilentCanvas: Attackers use .jpeg files to deliver malware SC Staff May 13, 2026 Attackers are weaponizing .jpeg files to deliver PowerShell payloads, trojanize ScreenConnect, and establish persistence on target systems. AI benefits/risks Why we need a ‘zero-trust for code’ behavioral approach to secure software Ken Ammon May 11, 2026 AI has broken down the old model for classifying code – here’s how a behavioral approach makes more sense today. Malware New PamDOORa Linux backdoor sold on cybercrime forum SC Staff May 11, 2026 PamDOORa functions as a post-exploitation toolkit, enabling attackers to gain persistent access to Linux systems (x86_64) through a "magic password" and a specific TCP port combination. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Adware You can skip this ad in 5 seconds