Advertisement
Cyber Crime

Phishing Masks Malware as TrueType Fonts

A persistent phishing operation is weaponizing fake TrueType font files to distribute infostealers and remote access trojans.

··1 hour ago·2 min read
black laptop computer turned on with green screen
Photo by Moritz Erken on Unsplash
Advertisement

A sophisticated, large-scale phishing campaign is currently circulating, utilizing deceptive file extensions to bypass traditional security filters. By disguising malicious scripts as TrueType font files (.ttf), threat actors are successfully deploying a variety of persistent infostealers and remote access trojans (RATs) onto compromised Windows systems.

Tactics Behind the Font Deception

Identified in research published on July 16, 2026, the campaign has been active since late March 2026. Attackers commonly impersonate reputable corporations, using business-oriented lures and payment-themed email prompts to distribute malicious archives.

These archives contain JavaScript files heavily obfuscated with string-array mapping and control-flow flattening, techniques specifically engineered to confuse both human analysts and automated AI-driven review systems. Upon execution, the script secures persistence via a scheduled task in the %PUBLIC%\Libraries folder, subsequently dropping either an AutoIt executable or a LuaJIT interpreter to facilitate further stages of the attack.

Security controls cannot treat a file extension as proof of file type or intent.

— Jason Soroko, senior fellow at certificate lifecycle management (CLM) provider Sectigo

Evolution of the Loader Mechanism

The campaign’s Lua-based loader demonstrates significant technical maturity. The disguised script utilizes a complex sequence of symbol substitution, Base64 decoding, and a custom rotation cipher to obfuscate its intent. By June 2026, the attackers introduced a segmented encryption scheme, which employs a Vectored Exception Handler to decrypt shellcode in page-sized, non-executable fragments only as they are processed.

The Risks of In-Memory Execution

The final payload is delivered via Donut shellcode, which executes the malware entirely within memory to avoid leaving actionable forensic artifacts on the disk. The primary payloads deployed during this campaign include:

  • Agent Tesla
  • Remcos
  • XWorm
  • Best Private LOGGER

The security implications of such stealthy tactics are significant. As noted by Shane Barney, chief information security officer at Keeper Security, when signature-based detection is circumvented, the total impact is often measured by the extent of damage perpetrators can cause once they have successfully harvested sensitive user credentials.

Securing Against Evasive Threats

For organizations, this campaign highlights the insufficiency of relying on file extensions as a primary security boundary. Defenders are urged to prioritize analysis based on file behavior, content, and execution context rather than file names. Furthermore, limiting the use of tools like Windows Script Host, LuaJIT, and AutoIt—where they are not strictly necessary for business operations—can significantly reduce the attack surface. Ultimately, a robust defense must rely on identity-centric controls, the principle of least privilege, and mandatory re-authentication for sensitive systems, operating under the assumption that credential compromise is an inevitable outcome of modern phishing strategies.

#phishing#malware#windows#infostealer#rat

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement