HackRead

“TTF Trap” Phishing Emails Use Fake Font Files to Deliver Windows Malware


An email that appears to contain a shipping document, payment request, or business proposal can infect a Windows computer even when one of its main components carries a .ttf font extension.

FortiGuard Labs has named the operation “TTF Trap” after finding widespread phishing activity that uses disguised font files and low-detection Lua loaders. The campaigns have been active since late March 2026, although researchers traced early versions of the loader to October 2025. Fortinet rates the threat as High and says any organization using Windows could be targeted.

For context, TTF stands for TrueType Font, a common format used for fonts on Windows. In this campaign, the .ttf file is not a real font. Attackers use the familiar extension to disguise a malicious Lua script that installs malware when executed by a separate program.

Phishing Emails

The emails impersonate established companies and address recipients with requests for orders, invoices, shipping documents, payments, or business cooperation. Some messages contain ZIP or RAR archives, while others provide links that download the archive. The sender creates a sense of urgency to persuade the recipient to open the included files.

Phishing emails (Image credit: FortiGuard Labs)

Opening the archive launches a heavily obfuscated JScript file filled with junk code designed to hinder automated scanning and manual inspection. The script copies itself into the Windows Public Libraries folder, creates a scheduled task for persistence, and decodes additional files hidden inside its code.

Among the dropped files is a legitimate AutoIt or LuaJIT interpreter accompanied by a malicious script. That script may use a .ttf extension, making it appear to be a TrueType Font even though its contents contain executable Lua code. The interpreter reads the disguised file, decrypts its contents, and runs the next stage.

Once decoded, the loader executes Donut shellcode directly in memory, reducing the malicious files written to disk. A related AutoIt version launches the legitimate Windows colorcpl.exe process in a suspended state before injecting and running the payload inside it.

Fortinet’s analysis found that newer loader versions added further anti-analysis methods to make debugging and detection more difficult.

The final malware varies between attacks. FortiGuard Labs observed Agent Tesla, Remcos, XWorm and several Snake Keylogger variants, including Best Private LOGGER. These tools can steal credentials and other information, record keystrokes or give attackers remote control of an infected computer.

Expert Perspective

Jason Soroko, Senior Fellow at Sectigo, said the campaign shows why a filename or extension cannot confirm what a file contains. The interpreter, script and disguised font may appear less suspicious when reviewed separately, but their combined execution delivers remote access tools and information-stealing malware.

Soroko advised organizations to inspect file contents, behavior and execution context. Email gateways and sandboxes should open nested archives, follow embedded download links and identify scripts carrying misleading extensions. Where they are not needed, Windows Script Host, AutoIt and LuaJIT should be restricted through application control, particularly in user-writable folders.

Because the loader has changed repeatedly, Soroko said detection should not depend only on file hashes or command servers listed in published indicators. Monitoring should also cover script interpreters launched from email or archive programs, unusual use of colorcpl.exe, remote memory allocation, process injection, and shellcode execution.

Employees receiving unexpected orders, invoices, or shipping files should verify the request with the supposed sender through a separate communication channel. A .ttf file inside a business archive should never require an interpreter or script to run, and any request involving such files should be reported before opening them.

(Photo by Brett Jordan on Unsplash)





Source link