Back to Feed
MalwareJul 17, 2026

“TTF Trap” Phishing Emails Use Fake Font Files to Deliver Windows Malware

"TTF Trap" phishing campaign uses disguised Lua scripts in fake font files to deliver Windows malware since March 2026.

Summary

FortiGuard Labs identified a widespread phishing campaign called "TTF Trap" that disguises malicious Lua scripts as TrueType Font (.ttf) files to evade detection. The campaign, active since late March 2026, uses phishing emails impersonating legitimate companies to distribute obfuscated archives containing interpreters and malicious payloads. The final stage delivers information-stealing malware including Agent Tesla, Remcos, XWorm, and Snake Keylogger variants that steal credentials and provide remote access.

Full text

Security Phishing Scam“TTF Trap” Phishing Emails Use Fake Font Files to Deliver Windows MalwarebyWaqasJuly 17, 20263 minute read Listen to this article 0:00 — ← 10s ▶ Play 10s → Speed 0.75× 1× 1.25× 1.5× 2× Voice Loading voices… Press play to start listening An email that appears to contain a shipping document, payment request, or business proposal can infect a Windows computer even when one of its main components carries a .ttf font extension. FortiGuard Labs has named the operation “TTF Trap” after finding widespread phishing activity that uses disguised font files and low-detection Lua loaders. The campaigns have been active since late March 2026, although researchers traced early versions of the loader to October 2025. Fortinet rates the threat as High and says any organization using Windows could be targeted. For context, TTF stands for TrueType Font, a common format used for fonts on Windows. In this campaign, the .ttf file is not a real font. Attackers use the familiar extension to disguise a malicious Lua script that installs malware when executed by a separate program. Phishing Emails The emails impersonate established companies and address recipients with requests for orders, invoices, shipping documents, payments, or business cooperation. Some messages contain ZIP or RAR archives, while others provide links that download the archive. The sender creates a sense of urgency to persuade the recipient to open the included files. Phishing emails (Image credit: FortiGuard Labs) Opening the archive launches a heavily obfuscated JScript file filled with junk code designed to hinder automated scanning and manual inspection. The script copies itself into the Windows Public Libraries folder, creates a scheduled task for persistence, and decodes additional files hidden inside its code. Among the dropped files is a legitimate AutoIt or LuaJIT interpreter accompanied by a malicious script. That script may use a .ttf extension, making it appear to be a TrueType Font even though its contents contain executable Lua code. The interpreter reads the disguised file, decrypts its contents, and runs the next stage. Once decoded, the loader executes Donut shellcode directly in memory, reducing the malicious files written to disk. A related AutoIt version launches the legitimate Windows colorcpl.exe process in a suspended state before injecting and running the payload inside it. Fortinet’s analysis found that newer loader versions added further anti-analysis methods to make debugging and detection more difficult. The final malware varies between attacks. FortiGuard Labs observed Agent Tesla, Remcos, XWorm and several Snake Keylogger variants, including Best Private LOGGER. These tools can steal credentials and other information, record keystrokes or give attackers remote control of an infected computer. Expert Perspective Jason Soroko, Senior Fellow at Sectigo, said the campaign shows why a filename or extension cannot confirm what a file contains. The interpreter, script and disguised font may appear less suspicious when reviewed separately, but their combined execution delivers remote access tools and information-stealing malware. Soroko advised organizations to inspect file contents, behavior and execution context. Email gateways and sandboxes should open nested archives, follow embedded download links and identify scripts carrying misleading extensions. Where they are not needed, Windows Script Host, AutoIt and LuaJIT should be restricted through application control, particularly in user-writable folders. Because the loader has changed repeatedly, Soroko said detection should not depend only on file hashes or command servers listed in published indicators. Monitoring should also cover script interpreters launched from email or archive programs, unusual use of colorcpl.exe, remote memory allocation, process injection, and shellcode execution. Employees receiving unexpected orders, invoices, or shipping files should verify the request with the supposed sender through a separate communication channel. A .ttf file inside a business archive should never require an interpreter or script to run, and any request involving such files should be reported before opening them. (Photo by Brett Jordan on Unsplash) Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Cyber AttackCybersecurityFortiGuard LabsFortinetFraudMalwarePhishingScamTTP Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security Malware Scams and Fraud Fake Skype, Zoom, Google Meet Sites Infecting Devices with Multiple RATs Remote Access Trojan Threat: Beware Malicious Downloads Disguised as Meeting Apps. byDeeba Ahmed Read More News Security Technology List of Proxy IPs Exposed to Block Killnet’s DDoS Bots Kallnet is a pro-Russian group known for targeting hospitals and other critical infrastructure in countries unfriendly to Russia byWaqas Read More Security Artificial Intelligence Researchers Find Data Leak Risk in AWS Bedrock AI Code Interpreter AWS Bedrock AI tool flaw allows data leaks via DNS queries in AgentCore Code Interpreter sandbox, exposing sensitive cloud data, researchers warn. byDeeba Ahmed Read More Security Malware EvilGnomes Linux malware record activities & spy on users The EvilGnomes Linux malware has been linked to infamous Russian threat actors from the Gamaredon Group. The IT… byUzair Amir

Indicators of Compromise

  • malware — Agent Tesla
  • malware — Remcos
  • malware — XWorm
  • malware — Snake Keylogger
  • malware — Best Private LOGGER

Entities

TTF Trap (campaign)Fortinet (vendor)Sectigo (vendor)TrueType Font (TTF) (technology)Lua (technology)AutoIt (technology)