Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

The TTF Trap: A Global Campaign of a Low-Detection Lua Loader

0
Medium
Published: 07/16/2026 (07/16/2026, 16:06:34 UTC)
Source: AlienVault OTX General

Description

A global phishing campaign since March 2026 uses fileless techniques and low-detection Lua-based loaders disguised as TrueType Font (.ttf) files to deploy malware such as Agent Tesla, Remcos, XWorm, and Best Private LOGGER. The campaign employs obfuscated JavaScript to execute AutoIt or LuaJIT interpreters with advanced anti-analysis methods including custom ROT ciphers, decoy memory allocation, and reflective in-memory shellcode execution. The threat actors impersonate well-known companies to lure victims into opening malicious archives. Over time, the campaign has evolved to include API unhooking and sophisticated debugging countermeasures, ultimately infecting victims with Remote Access Trojans and infostealers that enable full system compromise and data theft.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/17/2026, 00:49:12 UTC

Technical Analysis

Since late March 2026, attackers have conducted a large-scale phishing campaign distributing malware via fileless execution using Lua-based loaders with low detection rates. Malicious archives contain obfuscated JavaScript that deploys AutoIt or LuaJIT interpreters alongside scripts disguised as .ttf font files. These Lua loaders use advanced evasion techniques such as custom ROT ciphers, decoy memory allocation, and Donut shellcode generation for reflective in-memory payload execution. The campaign has progressively increased in complexity, adding API unhooking and debugging countermeasures by June 2026. The final payloads include Remote Access Trojans and infostealers like Agent Tesla, Remcos, XWorm, and Best Private LOGGER, enabling attackers to gain full control over infected systems and exfiltrate sensitive data.

Potential Impact

Victims of this campaign risk full system compromise through Remote Access Trojans and infostealers, resulting in unauthorized access, credential theft, and extensive data exfiltration. The use of fileless techniques and sophisticated evasion methods reduces detection likelihood, increasing the potential for prolonged undetected presence and damage.

Mitigation Recommendations

No official patch or vendor advisory is available for this threat. Mitigation should focus on user awareness to recognize phishing attempts, blocking malicious attachments and scripts at email gateways, and employing endpoint detection solutions capable of identifying fileless and script-based attacks. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and malware removal rather than patching. Regular updates of security tools and monitoring for indicators of compromise are recommended.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.fortinet.com/blog/threat-research/the-ttf-trap-a-global-campaign-of-a-low-detection-lua-loader"]
Adversary
null
Pulse Id
6a59018a415370b96937338d
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainmail.taikei-rmc-co.biz
domainmail.allportcargoservice.com
domainnewremupdate.duckdns.org
domainmail.trimnt.com
domainmail.teamengineersgroup.com

Hash

ValueDescriptionCopy
hash511ba918e1781ff38310530801b8cec5
hashc029ceede8f8f8c8a4f58687e6681536fe4cc97b
hash41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be
hash2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279
hash417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b
hash619d2628dcf0c8e15a6febb0e562609556ca57f9f8216800ee77a39e336b8bf4
hash96e22da4d5c0ea4b0efde0ad3eaa8fdedc60228f84fb3c56899afbb9338da2a1
hashba2793c45a12e96683a8b1b7cb5a5c3e
hashc5724b86aae0e637b8b0b6f3c8d31168
hashefd92efb0321bf811e74717974b14897
hashff3db8cc2d38ca5878a32fe40d7a8ba5
hash409f57557a91d2a7a424d122aef4e73f2b533b18
hash425ba7d4138a0e72e0e32db5438ee4bd88aa2982
hash9d8a4d41058d5d7934d55f2c97d032124a0d74e3
hashf17ee43fda3735a0eea7330774ed6c10c0749fa5
hash05390dd0d2c84f77475c0c6aa082638e23977da591302e911cbcb071c42a9451
hash1539468a21a439dd4f8d72a6c34ce503f0585281fc2e88535c3c33727bfdc717
hash16516e3298278719123068bf0ed808ea4e00f73c970a8a83377066b4e3c3c950
hash16f9692debe0d4e35d76b48312979e5a90a85ce066e7375269ce78f43da52769
hash1c4419d687bf45bdc5474b6347e41e89459fc0f5115f0d012c46c57280b242bf
hash1d9dd914cf623dcae4b88834744a005e5e3eae827ded1aafd23ed1d7be57b90a
hash2fe30eccd36f4346cb117af0cf626c2bca84b50c658b0c9af09110b9f86a53f4
hash3ace400380bd1fc51e83d008dbbe9ceb70b2572da95264be09d85979a6276a37
hash4c001e107a42d65c1b1e6092e4aa6932dbd1544d097d1a432ba27e3b4bddfcc1
hash5409b3fa21dcc2f854697ec731f9574603dd0b6bdfd892e968a2b412ed85f52c
hash5b271a1b1ffe2716ae420f8e9d40dbc8e9e682f6e4125d4f174a335bf070ac29
hash6700e6d2a0c285d3ebf1a55aecec63b1e42d7d581f691331c667a8920dac7029
hash775ae9a8c7363e2368cbb559f9c2d26a6c479d4e7998fe71d45830885ccde429
hash7df42fc54f053d1bb65f43d4386a75be02770f7923b66e713fb04631582e864e
hash81edd5e740bea0fefb5c1bbd14a671bd1daff37bf3641e34f3a1f7e93559184a
hash8c28bc87eb4f2613117d41a716e78f62d55c19edaeea573c2c96e787da055167
hash9674da676ee226ee456d35c774715d9b58655423806f281de19dc9ef899e9532
hash986d1d5270822af7d7744762ecd8fc4e9b2886c85b3660e9fdf0b5906d6c4117
hashb12b743d4ecc0fe7320b6c1533e2a60bb89f94ca39a5be37143e7af27daacf04
hashbbeb74e6af12536ecb6761a65ed893fbddd1b86a17cd4a61b616e5fc6106ec9a
hashbe4fcf88a287f783a3d199e889f9f088f77338eafe0dce70a38ade01192fb223
hashc7159e589e29f9c866cc9983839ae9c9a1457df542a2dcd5103baf38636e08fd
hashc92740b6b90582a4bf73fef979ca047b9e6ae432e892a97f71e70b45c09e478e
hashca9639f7db6c3d1b37a004493f44aaa4e1282ea9333bc8ca5eac5d263d899e6a
hashcc041def6013da331f025e12f21f43677cea08073018d6be037f15a343a9cc24
hashe2a95dd038a153dfb463c94554912f992cd04cf0f420552a95f4aea3d6f31e18
hashec494785f243f5f1b516b31d8455fadafe5495e11d47a5ce2bd50b1b3791fec6
hashfbf9a87d351ef702d87e0cd9e0148baa44c6d619f50fbf91d79a1c5e37719a77

Ip

ValueDescriptionCopy
ip104.239.66.86

Threat ID: 6a59782068715ace4305c175

Added to database: 07/17/2026, 00:32:32 UTC

Last enriched: 07/17/2026, 00:49:12 UTC

Last updated: 07/17/2026, 03:39:56 UTC

Views: 9

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses