A recent phishing campaign disguises a Lua-based malware loader as a TrueType font file (.ttf). This operation, identified by Fortinet's FortiGuard Labs, has been active since March 2026, utilizing fileless techniques to deploy various Remote Access Trojans (RATs) and infostealers like Agent Tesla and Remcos. Attackers use lures related to business cooperation to deliver malicious archives via phishing emails, employing scripted attacks that evade detection through complex methods.
The payload is executed in memory to avoid leaving traces on disk. Security experts emphasize the importance of analyzing file content and behavior rather than relying solely on file extensions.