Find notable cyber news and cases, enriched with sources, timelines, and signals.

SHADOW#REACTOR fake .ttf phishing campaign targeting Windows systems

Campaign
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale phishing campaign is delivering RATs and infostealers to Windows systems by disguising a malicious script as a .ttf font file. The operation has been active since late March 2026 and uses fileless delivery to reduce detection. It combines business-cooperation lures, scheduled-task persistence, and in-memory execution to push payloads including Agent Tesla, Remcos, XWorm, and Best Private LOGGER.

Timeline

  1. 16.07.2026 18:00 1 articles · 1h ago

    Fake .ttf Lua loader campaign targets Windows systems

    Initial Disclosure

    FortiGuard Labs identified a large-scale phishing campaign active since late March 2026 that disguises a malicious Lua loader as a .ttf TrueType font file on Windows systems. The chain uses business-cooperation lures and payment-themed phishing emails, copies itself to %PUBLIC%\Libraries, sets a scheduled task for persistence, and drops LuaJIT or AutoIt before delivering Donut shellcode that executes payloads in memory. FortiGuard Labs observed Remcos, Agent Tesla, XWorm, or Best Private LOGGER on victims, and a June 2026 build added segmented encryption that decrypted page-sized shellcode fragments with a Vectored Exception Handler.

    Show sources