Lua loader payload wave delivering Remcos, Agent Tesla, XWorm, and Best Private LOGGER
Malware Activity
Summary
Hide ▲
Show ▼
A Lua-based loader in a large-scale phishing operation is delivering rotating malware payloads to Windows systems, creating a fileless path for credential theft and persistent access. Each infected host receives one of four families: Remcos, Agent Tesla, XWorm, or Best Private LOGGER. The chain uses a fake .tff lure, scheduled-task persistence, and in-memory execution to reduce detection.
Timeline
-
16.07.2026 18:00 1 articles · 1h ago
Lua loader campaign delivers Remcos, Agent Tesla, XWorm, and Best Private LOGGER
Initial DisclosureFortinet's FortiGuard Labs reported a large-scale phishing campaign on July 16, 2026 that has been running since late March 2026 and disguises a malicious Lua loader as a .ttf TrueType font file on Windows systems. The chain uses fileless techniques, scheduled-task persistence, Donut shellcode, and in-memory execution to deliver one of four payloads per victim: Remcos, Agent Tesla, XWorm, or Best Private LOGGER.
Show sources
- Phishing Campaign Hides Lua Loader as TrueType Font File — www.infosecurity-magazine.com — 16.07.2026 18:00