www.infosecurity-magazine.com 7/16/2026, 3:09:41 PM · external

Fileless phishing attack hides Lua loader in bogus font files

Fileless phishing attack hides Lua loader in bogus font files
CyberSIXT Evidence Panel
Primary Source fortinet.com

A recent phishing campaign disguises a Lua-based malware loader as a TrueType font file (.ttf). This operation, identified by Fortinet's FortiGuard Labs, has been active since March 2026, utilizing fileless techniques to deploy various Remote Access Trojans (RATs) and infostealers like Agent Tesla and Remcos. Attackers use lures related to business cooperation to deliver malicious archives via phishing emails, employing scripted attacks that evade detection through complex methods.

The payload is executed in memory to avoid leaving traces on disk. Security experts emphasize the importance of analyzing file content and behavior rather than relying solely on file extensions.

View Primary Source Via www.infosecurity-magazine.com

Article by CyberSIXT