VYPR
researchPublished Jul 16, 2026· 1 source

Phishing Campaign Deploys Lua Loader Disguised as TrueType Font

A global phishing campaign is distributing a Lua loader disguised as a TrueType font file, enabling threat actors to bypass security controls and deploy various malware payloads.

A widespread phishing campaign, active since late March 2026, is employing a sophisticated technique to deliver malware by disguising a Lua-based loader as a TrueType font file (.ttf). This method allows threat actors to bypass security controls and deploy a rotating selection of Remote Access Trojans (RATs) and infostealers onto targeted Windows systems.

Research from Fortinet's FortiGuard Labs indicates that the campaign has successfully delivered payloads such as Agent Tesla, Remcos, XWorm, and a keylogger known as Best Private LOGGER. The threat actors are impersonating well-known companies and using business-related lures, often involving payment-themed prompts, to trick victims into opening malicious archives.

Inside these archives, researchers discovered a JavaScript file heavily obfuscated with junk code, string-array mapping, and control-flow flattening to evade both manual analysis and automated security tools. Upon execution, the script establishes persistence by copying itself to the %PUBLIC%\Libraries folder and creating a scheduled task. It then drops either a LuaJIT interpreter or an AutoIt executable, with the malicious script file itself bearing the .ttf extension to mimic a legitimate font file.

Security experts highlight that this tactic underscores the inadequacy of relying solely on file extensions for security. Jason Soroko of Sectigo advises that security controls should analyze files based on their content, behavior, and execution context, rather than just their name. He also recommends restricting the use of Windows Script Host, AutoIt, and LuaJIT interpreters where they are not essential.

The Lua execution path demonstrates advanced evasion. The disguised script reverses itself, applies symbol-substitution rules, decodes from Base64, and then runs a custom ROT cipher. A more recent variant from June 2026 incorporates a segmented encryption scheme, where shellcode is split into non-executable pages and decrypted on-the-fly by a Vectored Exception Handler as the processor attempts to execute them.

Ultimately, the malware payload is delivered using Donut shellcode, which maps and executes the malware directly in memory, leaving minimal traces on disk. The observed payloads include Remcos, Agent Tesla, XWorm, and Best Private LOGGER, the latter identified as a variant of Snake Keylogger. The consistent deployment of these tools points to the attackers' primary objectives: stealing valid credentials and establishing a persistent foothold within victim networks.

Given the effectiveness of such techniques, security professionals emphasize the importance of robust identity controls, the principle of least privilege, and frequent re-authentication for sensitive systems. Shane Barney of Keeper Security notes that the blast radius of such attacks is determined by the damage that can be inflicted with compromised credentials, making strong access management crucial.

Synthesized by Vypr AI