Skip to main content
Emerging ThreatsMalware & Ransomware

Phishing Campaign Exploits Font File to Deploy Lua Loader

Business professional sits at computer with blurred screen in typical workspace.

"security controls cannot treat a file extension as proof of file type or intent," said Jason Soroko, and a new Fortinet analysis shows why defenders should take that warning literally.

How the phishing lures worked

Fortinet's FortiGuard Labs published research on July 16 that traces a large-scale phishing operation running since late March 2026. Operators impersonated well-known companies and used business-cooperation lures to deliver archives attached to phishing emails, often carrying payment-themed prompts. Those malicious archives contained a JavaScript payload hidden beneath dense junk code intended to foil both manual analysis and AI-driven review: string-array mapping and control-flow flattening were present in the samples FortiGuard examined.

The fake .ttf file and the fileless execution chain

The JavaScript, once executed, copied itself to the %PUBLIC%\\Libraries folder and created a scheduled task for persistence. It then dropped either a LuaJIT interpreter or an AutoIt executable. The file the loader treated as a script carried a .ttf extension, borrowing the appearance of a legitimate TrueType font while actually invoking a Lua-based loader. FortiGuard described the campaign as combining fileless techniques with a low-detection loader; the final stage arrived wrapped in Donut shellcode whose reflective loader mapped and executed malware directly in memory, "leaving nothing on disk to inspect."

LuaJIT path: layered obfuscation and segmented decryption

FortiGuard found the Lua path to be the more evolved of the two loader tracks. The disguised script reversed itself, applied symbol-substitution rules, decoded data from Base64 and ran a custom ROT cipher whose rotation key was derived from the first byte of the ciphertext. A June 2026 build added a segmented encryption scheme: the shellcode was split into page-sized fragments marked non-executable and decrypted one page at a time by a Vectored Exception Handler as the processor attempted to run them. These measures pushed execution into memory and increased the difficulty of signature-based detection.

Payloads observed: Remcos, Agent Tesla, XWorm and Best Private LOGGER

FortiGuard observed that victims received one of four payload families: Remcos, Agent Tesla, XWorm or a keylogger called Best Private LOGGER. The research classified Best Private LOGGER as a Snake Keylogger variant after comparing its collection module against a payload generated with a Snake VIP Keylogger builder. Shane Barney, chief information security officer at Keeper Security, summarized the attackers' objective plainly: the payload mix targeted valid credentials and a persistent foothold. When signature-based detection failed, Barney said, the blast radius was determined by "how much damage [could] be done with the credentials once they [had] been stolen."

What this means for security teams, finance/procurement teams, and identity teams

  • Security teams: Follow Jason Soroko's prescription to "analyze files by content, behavior and execution context rather than name" and consider restricting interpreters such as Windows Script Host, AutoIt and LuaJIT where they are not required. Monitor for unexpected scheduled tasks and copies in %PUBLIC%\\Libraries that could indicate a staged loader.
  • Finance and procurement teams: Be especially wary of payment-themed prompts and business-cooperation lures. The operators used those templates to deliver archives that contained the obfuscated JavaScript and the disguised .ttf loader.
  • Identity and access teams: Heed Shane Barney's advice to "lean on identity controls, least privilege and re-authentication for sensitive systems," operating under the assumption that credentials may eventually be compromised and that stolen credentials determine how far an attack can spread.

The campaign illustrates a simple but persistent truth: file extensions and names are weak signals when attackers layer obfuscation, in-memory loaders and reflective shellcode. FortiGuard's findings—from the late-March 2026 start date to the June build's segmented decryption and the use of Donut reflective loading—show a track of incremental engineering aimed at avoiding disk evidence and signature detection. Organizations that still prioritize file-name checks over behavioral and execution-context analysis risk being surprised by a file that "looks like" a font but acts like a loader.

Read the original Fortinet reporting: https://www.infosecurity-magazine.com/news/phishing-lua-loader-truetype-font/