Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

Phishing Campaign Hides Lua Loader as TrueType Font File

July 16, 2026

Laser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched

July 16, 2026

Single Prompt Enables ChatGPT to Execute Full Cyber-Attack Chain

July 16, 2026
Facebook X (Twitter) Instagram
Thursday, July 16
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Phishing Campaign Hides Lua Loader as TrueType Font File
News

Phishing Campaign Hides Lua Loader as TrueType Font File

Team-CWDBy Team-CWDJuly 16, 2026No Comments3 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


A large-scale phishing operation has been observed disguising a malicious script as a TrueType font file (.tff). Using the fake .ttf extension, a Lua-based loader is slipped onto Windows systems and a rotating cast of remote access trojans and infostealers is deployed.

According to research published on July 16 by Fortinet’s FortiGuard Labs, the campaign has been running since late March 2026 and combines fileless techniques with a low-detection loader to deliver Agent Tesla, Remcos, XWorm and a keylogger called Best Private LOGGER.

The operators impersonated well-known companies and used business-cooperation lures to push malicious archives, often attached to phishing emails carrying payment-themed prompts.

Read more on Remcos delivery: SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT

Fake Fonts, Real Loaders

The archives observed by Fortinet contained a JavaScript file wrapped in dense junk code with string-array mapping and control-flow flattening designed to defeat both manual analysis and AI-driven review.

When executed, the script copied itself to the %PUBLIC%Libraries folder, set up a scheduled task for persistence and then dropped either a LuaJIT interpreter or an AutoIt executable. The file it treated as a script carried a .ttf extension, borrowing the look of a legitimate TrueType font.

Jason Soroko, senior fellow at certificate lifecycle management (CLM) provider Sectigo, said the design showed why “security controls cannot treat a file extension as proof of file type or intent.”

Each component looked less suspicious in isolation, he argued, while the combined sequence produced in-memory execution of RATs and infostealers.

Soroko urged defenders to analyze files by content, behavior and execution context rather than name and to restrict Windows Script Host, AutoIt and LuaJIT interpreters where they were not required.

The Lua path was the more evolved of the two. The disguised script reversed itself, applied symbol-substitution rules, decoded from Base64, then ran a custom ROT cipher whose rotation key was derived from the first byte of the ciphertext.

A June 2026 build added a segmented encryption scheme in which the shellcode was split into page-sized fragments marked non-executable, decrypted one page at a time by a Vectored Exception Handler as the processor tried to run them.

From Loader to Payload

The final payload arrived wrapped in Donut shellcode, whose reflective loader mapped and executed the malware directly in memory, leaving nothing on disk to inspect.

FortiGuard observed one of four payloads dropped per victim: Remcos, Agent Tesla, XWorm or Best Private LOGGER. The company classified the latter as a Snake Keylogger variant after comparing its collection module against a payload generated with a Snake VIP Keylogger builder.

Shane Barney, chief information security officer at Keeper Security, said the payload set made the attacker’s goal plain: valid credentials and a persistent foothold.

When signature-based detection failed, he said, the blast radius was determined by “how much damage [could] be done with the credentials once they [had] been stolen.”

Barney urged organizations to lean on identity controls, least privilege and re-authentication for sensitive systems, on the assumption that credentials would eventually be compromised.



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleLaser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched
Team-CWD
  • Website

Related Posts

News

Laser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched

July 16, 2026
News

Modular macOS Stealer Uses Kill Loops to Force Password Entry

July 16, 2026
News

New MODBEACON RAT Uses gRPC Streaming for Encrypted C2 Traffic

July 16, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202523 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

What it is and how to protect yourself

January 8, 2026

How to mitigate the security and privacy risks of smart glasses

May 11, 2026

When ‘hacking’ your game becomes a security risk

October 17, 2025

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.