HomeRisk ManagementsPhishing Campaign Disguises Lua Loader as TrueType Font File

Phishing Campaign Disguises Lua Loader as TrueType Font File

Published on

spot_img

Disguised Threats: The Rise of a Large-Scale Phishing Operation

In recent reports, a significant phishing operation has come to light, employing a deceptive approach by disguising a malicious script as a TrueType font file, specifically using the .ttf extension. This operation, identified as a large-scale campaign, has managed to infiltrate Windows systems with a Lua-based loader, which subsequently deploys a rotating array of remote access trojans (RATs) and information stealers.

According to research published on July 16 by Fortinet’s FortiGuard Labs, this campaign has been active since late March 2026. It uniquely combines fileless techniques with a low-detection loader, facilitating the delivery of malware including Agent Tesla, Remcos, XWorm, and a keylogger referred to as Best Private LOGGER. This sophisticated approach underscores the evolving tactics employed by cybercriminals to evade detection.

The attackers behind this phishing scheme are reported to have impersonated well-known companies, utilizing business-cooperation lures to disseminate malicious archives. These lures are often distributed through phishing emails that include payment-themed prompts, designed to exploit the victim’s trust and provoke a hasty response.

The malicious archives observed by Fortinet contained a JavaScript file intentionally wrapped in layers of junk code, featuring advanced techniques like string-array mapping and control-flow flattening. This complexity is strategically designed to thwart both manual analysis and automated AI-driven reviews, making detection significantly more challenging for cybersecurity professionals.

Upon execution, the malicious script replicates itself into the %PUBLIC%\Libraries folder, establishes a scheduled task for persistence, and ultimately delivers either a LuaJIT interpreter or an AutoIt executable. In an attempt to mask its true nature, the file masquerades as a legitimate TrueType font.

Jason Soroko, a senior fellow at Sectigo—a provider of certificate lifecycle management (CLM)—has expressed concern about the implications of such an attack. He emphasized the risks associated with treating file extensions as definitive proof of file type or intent. In his analysis, each component of the operation appears less suspicious when viewed in isolation; however, their combined execution sequence leads to the in-memory operation of RATs and information stealers.

Soroko has been vocal about the necessity for defenders to analyze files based on their content, behavior, and execution context rather than mere names. He advocates for restricting the use of Windows Script Host, AutoIt, and LuaJIT interpreters in environments where they are not essential.

The Lua path of the attack, noted for its evolution, features a script that cleverly reverses itself, applies symbol-substitution rules, decodes data from Base64 format, and runs a custom ROT cipher. This cipher’s rotation key is intricately derived from the initial byte of the ciphertext, showcasing the innovation employed by the attackers.

Moreover, a build from June 2026 introduced a segmented encryption scheme, in which the shellcode is divided into page-sized fragments. These fragments are marked as non-executable, decrypted incrementally by a Vectored Exception Handler as the processor attempts to execute them. This approach complicates the detection and analysis processes even further.

As the operation progresses, the final payload is packaged in Donut shellcode, allowing for reflective loading and in-memory execution of the malware, ultimately leaving no residual traces on disk for analysts to examine. According to FortiGuard’s observations, each victim receives one of four payloads: Remcos, Agent Tesla, XWorm, or Best Private LOGGER. The latter has been classified as a variant of the Snake Keylogger following analyses that compared its collection module to those generated with a Snake VIP Keylogger builder.

Shane Barney, Chief Information Security Officer at Keeper Security, has articulated the clear objectives of this campaign. He suggests that the attackers are aiming for valid credentials and establishing a persistent foothold in compromised systems. When traditional signature-based detection fails, the extent of damage is determined by how much can be exploited with the accessed credentials.

Barney emphasizes the importance of organizations adopting robust identity controls, implementing least privilege principles, and mandating re-authentication for sensitive systems. This approach is essential, especially under the assumption that credentials may eventually be compromised, highlighting the dire need for heightened vigilance and proactive measures against evolving cyber threats.

This ongoing phishing operation illustrates the dynamic nature of cybercrime, urging organizations to remain ever diligent in their cybersecurity practices in the face of increasingly sophisticated threats.

Source link

Latest articles

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

Google Raises Security Concerns Over EU Order to Unleash Android

Artificial Intelligence & Machine Learning, Geo-Specific, ...

Top 10 Firewall Solutions Raising Cybersecurity Standards in 2026

The firewall category is rapidly transforming, marking the most significant evolution since the introduction...

When AI Acquires a Physical Form, It Inherits an Attack Surface

Embodied artificial intelligence (AI) constructs a bridge between the digital and physical realms by...

More like this

Inside Microsoft’s Record-Breaking Release of 622 Bugs

Microsoft's Record-Breaking Security Update Addresses Urgent Vulnerabilities On July 14, 2026, Microsoft announced an unprecedented...

Google Raises Security Concerns Over EU Order to Unleash Android

Artificial Intelligence & Machine Learning, Geo-Specific, ...

Top 10 Firewall Solutions Raising Cybersecurity Standards in 2026

The firewall category is rapidly transforming, marking the most significant evolution since the introduction...