Global Phishing Campaign Uses Lua Loader Disguised as TrueType Font Files

Global Phishing Campaign Uses Lua Loader Disguised as TrueType Font Files

First seen 16 Jul 2026, 16:12 UTC Infosecurity-Magazinewww.fortinet.com 82% similarity 69.5

Article Content

Browse articles
ThreatCluster

Since late March 2026, a large-scale phishing campaign has been observed utilizing disguised TrueType Font (.ttf) files to deliver Lua-based loaders and various malware, including Agent Tesla and Remcos. The attackers impersonate reputable companies to lure victims into opening malicious archives attached to phishing emails. The JavaScript files within these archives are heavily obfuscated, employing techniques like string array mapping and control flow flattening to evade detection. Once executed, the scripts establish persistence by copying themselves to the %PUBLIC%\Libraries folder and setting up scheduled tasks. The final payloads include remote access trojans (RATs) and infostealers, with the attack's design allowing for in-memory execution, leaving minimal traces on disk. The campaign has been confirmed by Fortinet's FortiGuard Labs, highlighting the need for improved detection methods that focus on file behavior rather than extensions. The impact is significant, affecting any organization using Microsoft Windows.

Key Points: • Attackers use .ttf files to disguise Lua loaders for malware delivery. • The campaign has been active since late March 2026, targeting Windows systems. • Malware includes Agent Tesla, Remcos, XWorm, and Best Private LOGGER.

ThreatCluster AI

Timeline

2026-03-01
Phishing campaign began
A large-scale phishing operation started, using .ttf files to deliver malware.
Fortinet
2026-07-16
Fortinet reports on the campaign
FortiGuard Labs published findings detailing the obfuscation techniques and malware used in the phishing attacks.
Infosecurity-Magazine

Community

Browse all →