Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lua loader payload wave delivering Remcos, Agent Tesla, XWorm, and Best Private LOGGER

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

A Lua-based loader in a large-scale phishing operation is delivering rotating malware payloads to Windows systems, creating a fileless path for credential theft and persistent access. Each infected host receives one of four families: Remcos, Agent Tesla, XWorm, or Best Private LOGGER. The chain uses a fake .tff lure, scheduled-task persistence, and in-memory execution to reduce detection.

Timeline

  1. 16.07.2026 18:00 1 articles · 1h ago

    Lua loader campaign delivers Remcos, Agent Tesla, XWorm, and Best Private LOGGER

    Initial Disclosure

    Fortinet's FortiGuard Labs reported a large-scale phishing campaign on July 16, 2026 that has been running since late March 2026 and disguises a malicious Lua loader as a .ttf TrueType font file on Windows systems. The chain uses fileless techniques, scheduled-task persistence, Donut shellcode, and in-memory execution to deliver one of four payloads per victim: Remcos, Agent Tesla, XWorm, or Best Private LOGGER.

    Show sources