SHADOW#REACTOR fake .ttf phishing campaign targeting Windows systems
Campaign
Summary
Hide ▲
Show ▼
A large-scale phishing campaign is delivering RATs and infostealers to Windows systems by disguising a malicious script as a .ttf font file. The operation has been active since late March 2026 and uses fileless delivery to reduce detection. It combines business-cooperation lures, scheduled-task persistence, and in-memory execution to push payloads including Agent Tesla, Remcos, XWorm, and Best Private LOGGER.
Timeline
-
16.07.2026 18:00 1 articles · 1h ago
Fake .ttf Lua loader campaign targets Windows systems
Initial DisclosureFortiGuard Labs identified a large-scale phishing campaign active since late March 2026 that disguises a malicious Lua loader as a .ttf TrueType font file on Windows systems. The chain uses business-cooperation lures and payment-themed phishing emails, copies itself to %PUBLIC%\Libraries, sets a scheduled task for persistence, and drops LuaJIT or AutoIt before delivering Donut shellcode that executes payloads in memory. FortiGuard Labs observed Remcos, Agent Tesla, XWorm, or Best Private LOGGER on victims, and a June 2026 build added segmented encryption that decrypted page-sized shellcode fragments with a Vectored Exception Handler.
Show sources
- Phishing Campaign Hides Lua Loader as TrueType Font File — www.infosecurity-magazine.com — 16.07.2026 18:00