Obfuscated Fonts Mask Global RAT Attacks
Threat actors are weaponizing fake TrueType Font files to slip low-detection malware past traditional Windows endpoint defenses.
A new, sophisticated phishing campaign is exploiting the mundane nature of font files to slip malicious payloads into corporate networks. By disguising a custom Lua-based loader as a standard TrueType Font, attackers are successfully bypassing traditional security layers to deploy persistent remote access tools.
Weaponizing the TrueType Font Standard
At the heart of this campaign, which has been active since at least late March 2026, is a deceptive delivery mechanism. Attackers utilize heavily obfuscated JavaScript to set up a foothold before dropping either a legitimate AutoIt executable or a LuaJIT interpreter. The malicious payload itself is hidden within a file bearing the .ttf extension, a common format usually reserved for system fonts.
This unconventional approach allows the loader to perform complex de-obfuscation routines in memory, eventually decrypting and executing shellcode without ever writing a traditional binary to the disk. This fileless execution chain is designed to survive detection once the initial phishing bait is taken.
The Human Factor in Technical Evasion
Despite the technical complexity involved in these evasion tactics, the entry point remains a classic social engineering trick. Attackers mimic well-known organizations to lure employees into opening malicious compressed archives under the guise of business partnerships or urgent payment matters.
The most sophisticated technical evasion in the world still starts the same way: someone opens an email from what looks like a trusted company and acts on it.
— Shane Barney, CISO at Keeper Security
Sophistication in Evasion and Payload
The campaign is not limited to a single threat actor’s preference; it has been observed deploying several high-profile malicious families. The technical rigor of these attacks highlights a growing trend of utilizing advanced anti-analysis methods to slip past modern endpoint detection.
- Active since: late March 2026
- Primary payloads: Agent Tesla, Remcos, XWorm, and Best Private LOGGER
- Execution method: Donut shellcode-based fileless loading
- Evasion techniques: Vectored Exception Handler-based decryption, AMSI/ETW bypasses, and API unhooking
The loaders themselves are evolving, incorporating techniques like segmented shellcode encryption to further frustrate analysis. Experts emphasize that relying on static indicators like file hashes is insufficient, as the loader structure is prone to rapid iteration.
Strategic Shifts for Network Defense
Defending against such elusive threats requires moving beyond simple signature-based detection. Organizations should focus on hardening their environments by restricting unnecessary tools such as Windows Script Host and AutoIt wherever they are not critical to business operations.
Ultimately, the implication for businesses is a necessary pivot toward identity-centric security. Because no filter can stop every malicious email, limiting the lateral movement potential of compromised credentials—through least privilege and strict re-authentication policies—is the only way to constrain an attacker's impact once a breach occurs. Security teams are advised to monitor for anomalous memory behaviors and shellcode execution, as these are the most stable indicators of a compromise across the various iterations of this loader.
Continue Reading
Grav CMS 2FA Bypass Vulnerability Disclosed in Login Plugin
A critical 2FA bypass vulnerability in Grav CMS allows attackers to reset TOTP secrets, effectively neutralizing multi-factor authentication protections.
Critical Hard-Coded Secret Flaw Found in clawvet API Server
A hard-coded JWT secret in clawvet API versions before 0.7.5 allows unauthenticated remote attackers to forge session cookies and steal sensitive user data.
CISA Flags Actively Exploited Fortinet FortiSandbox OS Injection Flaw
CISA has added a critical OS command injection vulnerability in FortiSandbox to its KEV catalog, mandating urgent remediation for federal agencies.