An e-mail that seems to include a delivery doc, fee request, or enterprise proposal can infect a Home windows pc even when certainly one of its primary elements carries a .ttf font extension.
FortiGuard Labs has named the operation “TTF Lure” after discovering widespread phishing exercise that makes use of disguised font information and low-detection Lua loaders. The campaigns have been lively since late March 2026, though researchers traced early variations of the loader to October 2025. Fortinet charges the risk as Excessive and says any group utilizing Home windows might be focused.
For context, TTF stands for TrueType Font, a standard format used for fonts on Home windows. On this marketing campaign, the .ttf file will not be an actual font. Attackers use the acquainted extension to disguise a malicious Lua script that installs malware when executed by a separate program.
Phishing Emails
The emails impersonate established firms and deal with recipients with requests for orders, invoices, delivery paperwork, funds, or enterprise cooperation. Some messages include ZIP or RAR archives, whereas others present hyperlinks that obtain the archive. The sender creates a way of urgency to steer the recipient to open the included information.
Opening the archive launches a closely obfuscated JScript file crammed with junk code designed to hinder automated scanning and handbook inspection. The script copies itself into the Home windows Public Libraries folder, creates a scheduled process for persistence, and decodes further information hidden inside its code.
Among the many dropped information is a reliable AutoIt or LuaJIT interpreter accompanied by a malicious script. That script might use a .ttf extension, making it seem like a TrueType Font although its contents include executable Lua code. The interpreter reads the disguised file, decrypts its contents, and runs the subsequent stage.
As soon as decoded, the loader executes Donut shellcode instantly in reminiscence, lowering the malicious information written to disk. A associated AutoIt model launches the reliable Home windows colorcpl.exe course of in a suspended state earlier than injecting and working the payload inside it.
Fortinet’s evaluation discovered that newer loader variations added additional anti-analysis strategies to make debugging and detection tougher.
The ultimate malware varies between assaults. FortiGuard Labs noticed Agent Tesla, Remcos, XWorm and several other Snake Keylogger variants, together with Finest Personal LOGGER. These instruments can steal credentials and different info, document keystrokes or give attackers distant management of an contaminated pc.
Knowledgeable Perspective
Jason Soroko, Senior Fellow at Sectigo, mentioned the marketing campaign reveals why a filename or extension can’t verify what a file incorporates. The interpreter, script and disguised font might seem much less suspicious when reviewed individually, however their mixed execution delivers distant entry instruments and information-stealing malware.
Soroko suggested organizations to examine file contents, conduct and execution context. Electronic mail gateways and sandboxes ought to open nested archives, observe embedded obtain hyperlinks and determine scripts carrying deceptive extensions. The place they don’t seem to be wanted, Home windows Script Host, AutoIt and LuaJIT must be restricted by utility management, notably in user-writable folders.
As a result of the loader has modified repeatedly, Soroko mentioned detection shouldn’t rely solely on file hashes or command servers listed in revealed indicators. Monitoring must also cowl script interpreters launched from e-mail or archive packages, uncommon use of colorcpl.exe, distant reminiscence allocation, course of injection, and shellcode execution.
Workers receiving surprising orders, invoices, or delivery information ought to confirm the request with the supposed sender by a separate communication channel. A .ttf file inside a enterprise archive ought to by no means require an interpreter or script to run, and any request involving such information must be reported earlier than opening them.
(Picture by Brett Jordan on Unsplash)







