A large-scale phishing operation has been observed disguising a malicious script as a TrueType font file (.tff). Using the fake .ttf extension, a Lua-based loader is slipped onto Windows systems and a rotating cast of remote access trojans and infostealers is deployed.
According to research published on July 16 by Fortinet’s FortiGuard Labs, the campaign has been running since late March 2026 and combines fileless techniques with a low-detection loader to deliver Agent Tesla, Remcos, XWorm and a keylogger called Best Private LOGGER.
The operators impersonated well-known companies and used business-cooperation lures to push malicious archives, often attached to phishing emails carrying payment-themed prompts.
Read more on Remcos delivery: SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT
Fake Fonts, Real Loaders
The archives observed by Fortinet contained a JavaScript file wrapped in dense junk code with string-array mapping and control-flow flattening designed to defeat both manual analysis and AI-driven review.
When executed, the script copied itself to the %PUBLIC%\Libraries folder, set up a scheduled task for persistence and then dropped either a LuaJIT interpreter or an AutoIt executable. The file it treated as a script carried a .ttf extension, borrowing the look of a legitimate TrueType font.
Jason Soroko, senior fellow at certificate lifecycle management (CLM) provider Sectigo, said the design showed why “security controls cannot treat a file extension as proof of file type or intent.”
Each component looked less suspicious in isolation, he argued, while the combined sequence produced in-memory execution of RATs and infostealers.
Soroko urged defenders to analyze files by content, behavior and execution context rather than name and to restrict Windows Script Host, AutoIt and LuaJIT interpreters where they were not required.
The Lua path was the more evolved of the two. The disguised script reversed itself, applied symbol-substitution rules, decoded from Base64, then ran a custom ROT cipher whose rotation key was derived from the first byte of the ciphertext.
A June 2026 build added a segmented encryption scheme in which the shellcode was split into page-sized fragments marked non-executable, decrypted one page at a time by a Vectored Exception Handler as the processor tried to run them.
From Loader to Payload
The final payload arrived wrapped in Donut shellcode, whose reflective loader mapped and executed the malware directly in memory, leaving nothing on disk to inspect.
FortiGuard observed one of four payloads dropped per victim: Remcos, Agent Tesla, XWorm or Best Private LOGGER. The company classified the latter as a Snake Keylogger variant after comparing its collection module against a payload generated with a Snake VIP Keylogger builder.
Shane Barney, chief information security officer at Keeper Security, said the payload set made the attacker’s goal plain: valid credentials and a persistent foothold.
When signature-based detection failed, he said, the blast radius was determined by “how much damage [could] be done with the credentials once they [had] been stolen.”
Barney urged organizations to lean on identity controls, least privilege and re-authentication for sensitive systems, on the assumption that credentials would eventually be compromised.