Phishing Masks Malware as TrueType Fonts
A persistent phishing operation is weaponizing fake TrueType font files to distribute infostealers and remote access trojans.
A sophisticated, large-scale phishing campaign is currently circulating, utilizing deceptive file extensions to bypass traditional security filters. By disguising malicious scripts as TrueType font files (.ttf), threat actors are successfully deploying a variety of persistent infostealers and remote access trojans (RATs) onto compromised Windows systems.
Tactics Behind the Font Deception
Identified in research published on July 16, 2026, the campaign has been active since late March 2026. Attackers commonly impersonate reputable corporations, using business-oriented lures and payment-themed email prompts to distribute malicious archives.
These archives contain JavaScript files heavily obfuscated with string-array mapping and control-flow flattening, techniques specifically engineered to confuse both human analysts and automated AI-driven review systems. Upon execution, the script secures persistence via a scheduled task in the %PUBLIC%\Libraries folder, subsequently dropping either an AutoIt executable or a LuaJIT interpreter to facilitate further stages of the attack.
Security controls cannot treat a file extension as proof of file type or intent.
— Jason Soroko, senior fellow at certificate lifecycle management (CLM) provider Sectigo
Evolution of the Loader Mechanism
The campaign’s Lua-based loader demonstrates significant technical maturity. The disguised script utilizes a complex sequence of symbol substitution, Base64 decoding, and a custom rotation cipher to obfuscate its intent. By June 2026, the attackers introduced a segmented encryption scheme, which employs a Vectored Exception Handler to decrypt shellcode in page-sized, non-executable fragments only as they are processed.
The Risks of In-Memory Execution
The final payload is delivered via Donut shellcode, which executes the malware entirely within memory to avoid leaving actionable forensic artifacts on the disk. The primary payloads deployed during this campaign include:
- Agent Tesla
- Remcos
- XWorm
- Best Private LOGGER
The security implications of such stealthy tactics are significant. As noted by Shane Barney, chief information security officer at Keeper Security, when signature-based detection is circumvented, the total impact is often measured by the extent of damage perpetrators can cause once they have successfully harvested sensitive user credentials.
Securing Against Evasive Threats
For organizations, this campaign highlights the insufficiency of relying on file extensions as a primary security boundary. Defenders are urged to prioritize analysis based on file behavior, content, and execution context rather than file names. Furthermore, limiting the use of tools like Windows Script Host, LuaJIT, and AutoIt—where they are not strictly necessary for business operations—can significantly reduce the attack surface. Ultimately, a robust defense must rely on identity-centric controls, the principle of least privilege, and mandatory re-authentication for sensitive systems, operating under the assumption that credential compromise is an inevitable outcome of modern phishing strategies.
Continue Reading
The Dangerous New 'ClickLock' Mac Scam
A sophisticated social engineering campaign is tricking macOS users into executing terminal commands that surrender their private data.
Ego and Expertise in TfL Hack Sentence
Two young men sentenced to prison for a major transport network breach highlight the dangers of high-skill, attention-seeking actors.
Qantas Data Breach: A Social Engineering Gap
Regulators find the airline followed privacy rules despite a massive breach caused by a sophisticated vishing attack.