From ZIP File to crpx0 Ransomware: Anatomy of a Multi-Stage Attack

Aryaka Threat Research Labs describes a multi-stage campaign where attackers distribute crpx0 ransomware in a ZIP disguised as “free OnlyFans” content; a malicious shortcut triggers a VBScript loader that installs Python, enabling a remote-controlled payload used for clipboard cryptocurrency theft, credential harvesting, data exfiltration, and escalation to ransomware and extortion.