The TTF Trap: A Global Campaign of a Low-Detection Lua Loader
A global phishing campaign since March 2026 uses fileless techniques and low-detection Lua-based loaders disguised as TrueType Font (.ttf) files to deploy malware such as Agent Tesla, Remcos, XWorm, and Best Private LOGGER. The campaign employs obfuscated JavaScript to execute AutoIt or LuaJIT interpreters with advanced anti-analysis methods including custom ROT ciphers, decoy memory allocation, and reflective in-memory shellcode execution. The threat actors impersonate well-known companies to lure victims into opening malicious archives. Over time, the campaign has evolved to include API unhooking and sophisticated debugging countermeasures, ultimately infecting victims with Remote Access Trojans and infostealers that enable full system compromise and data theft.
AI Analysis
Technical Summary
Since late March 2026, attackers have conducted a large-scale phishing campaign distributing malware via fileless execution using Lua-based loaders with low detection rates. Malicious archives contain obfuscated JavaScript that deploys AutoIt or LuaJIT interpreters alongside scripts disguised as .ttf font files. These Lua loaders use advanced evasion techniques such as custom ROT ciphers, decoy memory allocation, and Donut shellcode generation for reflective in-memory payload execution. The campaign has progressively increased in complexity, adding API unhooking and debugging countermeasures by June 2026. The final payloads include Remote Access Trojans and infostealers like Agent Tesla, Remcos, XWorm, and Best Private LOGGER, enabling attackers to gain full control over infected systems and exfiltrate sensitive data.
Potential Impact
Victims of this campaign risk full system compromise through Remote Access Trojans and infostealers, resulting in unauthorized access, credential theft, and extensive data exfiltration. The use of fileless techniques and sophisticated evasion methods reduces detection likelihood, increasing the potential for prolonged undetected presence and damage.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Mitigation should focus on user awareness to recognize phishing attempts, blocking malicious attachments and scripts at email gateways, and employing endpoint detection solutions capable of identifying fileless and script-based attacks. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and malware removal rather than patching. Regular updates of security tools and monitoring for indicators of compromise are recommended.
Indicators of Compromise
- domain: mail.taikei-rmc-co.biz
- domain: mail.allportcargoservice.com
- hash: 511ba918e1781ff38310530801b8cec5
- hash: c029ceede8f8f8c8a4f58687e6681536fe4cc97b
- hash: 41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be
- hash: 2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279
- hash: 417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b
- domain: newremupdate.duckdns.org
- ip: 104.239.66.86
- hash: 619d2628dcf0c8e15a6febb0e562609556ca57f9f8216800ee77a39e336b8bf4
- hash: 96e22da4d5c0ea4b0efde0ad3eaa8fdedc60228f84fb3c56899afbb9338da2a1
- domain: mail.trimnt.com
- hash: ba2793c45a12e96683a8b1b7cb5a5c3e
- hash: c5724b86aae0e637b8b0b6f3c8d31168
- hash: efd92efb0321bf811e74717974b14897
- hash: ff3db8cc2d38ca5878a32fe40d7a8ba5
- hash: 409f57557a91d2a7a424d122aef4e73f2b533b18
- hash: 425ba7d4138a0e72e0e32db5438ee4bd88aa2982
- hash: 9d8a4d41058d5d7934d55f2c97d032124a0d74e3
- hash: f17ee43fda3735a0eea7330774ed6c10c0749fa5
- hash: 05390dd0d2c84f77475c0c6aa082638e23977da591302e911cbcb071c42a9451
- hash: 1539468a21a439dd4f8d72a6c34ce503f0585281fc2e88535c3c33727bfdc717
- hash: 16516e3298278719123068bf0ed808ea4e00f73c970a8a83377066b4e3c3c950
- hash: 16f9692debe0d4e35d76b48312979e5a90a85ce066e7375269ce78f43da52769
- hash: 1c4419d687bf45bdc5474b6347e41e89459fc0f5115f0d012c46c57280b242bf
- hash: 1d9dd914cf623dcae4b88834744a005e5e3eae827ded1aafd23ed1d7be57b90a
- hash: 2fe30eccd36f4346cb117af0cf626c2bca84b50c658b0c9af09110b9f86a53f4
- hash: 3ace400380bd1fc51e83d008dbbe9ceb70b2572da95264be09d85979a6276a37
- hash: 4c001e107a42d65c1b1e6092e4aa6932dbd1544d097d1a432ba27e3b4bddfcc1
- hash: 5409b3fa21dcc2f854697ec731f9574603dd0b6bdfd892e968a2b412ed85f52c
- hash: 5b271a1b1ffe2716ae420f8e9d40dbc8e9e682f6e4125d4f174a335bf070ac29
- hash: 6700e6d2a0c285d3ebf1a55aecec63b1e42d7d581f691331c667a8920dac7029
- hash: 775ae9a8c7363e2368cbb559f9c2d26a6c479d4e7998fe71d45830885ccde429
- hash: 7df42fc54f053d1bb65f43d4386a75be02770f7923b66e713fb04631582e864e
- hash: 81edd5e740bea0fefb5c1bbd14a671bd1daff37bf3641e34f3a1f7e93559184a
- hash: 8c28bc87eb4f2613117d41a716e78f62d55c19edaeea573c2c96e787da055167
- hash: 9674da676ee226ee456d35c774715d9b58655423806f281de19dc9ef899e9532
- hash: 986d1d5270822af7d7744762ecd8fc4e9b2886c85b3660e9fdf0b5906d6c4117
- hash: b12b743d4ecc0fe7320b6c1533e2a60bb89f94ca39a5be37143e7af27daacf04
- hash: bbeb74e6af12536ecb6761a65ed893fbddd1b86a17cd4a61b616e5fc6106ec9a
- hash: be4fcf88a287f783a3d199e889f9f088f77338eafe0dce70a38ade01192fb223
- hash: c7159e589e29f9c866cc9983839ae9c9a1457df542a2dcd5103baf38636e08fd
- hash: c92740b6b90582a4bf73fef979ca047b9e6ae432e892a97f71e70b45c09e478e
- hash: ca9639f7db6c3d1b37a004493f44aaa4e1282ea9333bc8ca5eac5d263d899e6a
- hash: cc041def6013da331f025e12f21f43677cea08073018d6be037f15a343a9cc24
- hash: e2a95dd038a153dfb463c94554912f992cd04cf0f420552a95f4aea3d6f31e18
- hash: ec494785f243f5f1b516b31d8455fadafe5495e11d47a5ce2bd50b1b3791fec6
- hash: fbf9a87d351ef702d87e0cd9e0148baa44c6d619f50fbf91d79a1c5e37719a77
- domain: mail.teamengineersgroup.com
The TTF Trap: A Global Campaign of a Low-Detection Lua Loader
Description
A global phishing campaign since March 2026 uses fileless techniques and low-detection Lua-based loaders disguised as TrueType Font (.ttf) files to deploy malware such as Agent Tesla, Remcos, XWorm, and Best Private LOGGER. The campaign employs obfuscated JavaScript to execute AutoIt or LuaJIT interpreters with advanced anti-analysis methods including custom ROT ciphers, decoy memory allocation, and reflective in-memory shellcode execution. The threat actors impersonate well-known companies to lure victims into opening malicious archives. Over time, the campaign has evolved to include API unhooking and sophisticated debugging countermeasures, ultimately infecting victims with Remote Access Trojans and infostealers that enable full system compromise and data theft.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Since late March 2026, attackers have conducted a large-scale phishing campaign distributing malware via fileless execution using Lua-based loaders with low detection rates. Malicious archives contain obfuscated JavaScript that deploys AutoIt or LuaJIT interpreters alongside scripts disguised as .ttf font files. These Lua loaders use advanced evasion techniques such as custom ROT ciphers, decoy memory allocation, and Donut shellcode generation for reflective in-memory payload execution. The campaign has progressively increased in complexity, adding API unhooking and debugging countermeasures by June 2026. The final payloads include Remote Access Trojans and infostealers like Agent Tesla, Remcos, XWorm, and Best Private LOGGER, enabling attackers to gain full control over infected systems and exfiltrate sensitive data.
Potential Impact
Victims of this campaign risk full system compromise through Remote Access Trojans and infostealers, resulting in unauthorized access, credential theft, and extensive data exfiltration. The use of fileless techniques and sophisticated evasion methods reduces detection likelihood, increasing the potential for prolonged undetected presence and damage.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Mitigation should focus on user awareness to recognize phishing attempts, blocking malicious attachments and scripts at email gateways, and employing endpoint detection solutions capable of identifying fileless and script-based attacks. Since this is a malware campaign rather than a software vulnerability, remediation involves incident response and malware removal rather than patching. Regular updates of security tools and monitoring for indicators of compromise are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/the-ttf-trap-a-global-campaign-of-a-low-detection-lua-loader"]
- Adversary
- null
- Pulse Id
- 6a59018a415370b96937338d
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainmail.taikei-rmc-co.biz | — | |
domainmail.allportcargoservice.com | — | |
domainnewremupdate.duckdns.org | — | |
domainmail.trimnt.com | — | |
domainmail.teamengineersgroup.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash511ba918e1781ff38310530801b8cec5 | — | |
hashc029ceede8f8f8c8a4f58687e6681536fe4cc97b | — | |
hash41ad1f28134f4b4a443b53af04aeb3fa57a2f72a3cc58a6466e84fc3225f38be | — | |
hash2b1248d89fd9a7c716816f9688402942827fc1bfa89d5dccd741521725104279 | — | |
hash417fc4d6119dac40f276b563498a0ad3f9bf42262ec650a4463cbdbe78da388b | — | |
hash619d2628dcf0c8e15a6febb0e562609556ca57f9f8216800ee77a39e336b8bf4 | — | |
hash96e22da4d5c0ea4b0efde0ad3eaa8fdedc60228f84fb3c56899afbb9338da2a1 | — | |
hashba2793c45a12e96683a8b1b7cb5a5c3e | — | |
hashc5724b86aae0e637b8b0b6f3c8d31168 | — | |
hashefd92efb0321bf811e74717974b14897 | — | |
hashff3db8cc2d38ca5878a32fe40d7a8ba5 | — | |
hash409f57557a91d2a7a424d122aef4e73f2b533b18 | — | |
hash425ba7d4138a0e72e0e32db5438ee4bd88aa2982 | — | |
hash9d8a4d41058d5d7934d55f2c97d032124a0d74e3 | — | |
hashf17ee43fda3735a0eea7330774ed6c10c0749fa5 | — | |
hash05390dd0d2c84f77475c0c6aa082638e23977da591302e911cbcb071c42a9451 | — | |
hash1539468a21a439dd4f8d72a6c34ce503f0585281fc2e88535c3c33727bfdc717 | — | |
hash16516e3298278719123068bf0ed808ea4e00f73c970a8a83377066b4e3c3c950 | — | |
hash16f9692debe0d4e35d76b48312979e5a90a85ce066e7375269ce78f43da52769 | — | |
hash1c4419d687bf45bdc5474b6347e41e89459fc0f5115f0d012c46c57280b242bf | — | |
hash1d9dd914cf623dcae4b88834744a005e5e3eae827ded1aafd23ed1d7be57b90a | — | |
hash2fe30eccd36f4346cb117af0cf626c2bca84b50c658b0c9af09110b9f86a53f4 | — | |
hash3ace400380bd1fc51e83d008dbbe9ceb70b2572da95264be09d85979a6276a37 | — | |
hash4c001e107a42d65c1b1e6092e4aa6932dbd1544d097d1a432ba27e3b4bddfcc1 | — | |
hash5409b3fa21dcc2f854697ec731f9574603dd0b6bdfd892e968a2b412ed85f52c | — | |
hash5b271a1b1ffe2716ae420f8e9d40dbc8e9e682f6e4125d4f174a335bf070ac29 | — | |
hash6700e6d2a0c285d3ebf1a55aecec63b1e42d7d581f691331c667a8920dac7029 | — | |
hash775ae9a8c7363e2368cbb559f9c2d26a6c479d4e7998fe71d45830885ccde429 | — | |
hash7df42fc54f053d1bb65f43d4386a75be02770f7923b66e713fb04631582e864e | — | |
hash81edd5e740bea0fefb5c1bbd14a671bd1daff37bf3641e34f3a1f7e93559184a | — | |
hash8c28bc87eb4f2613117d41a716e78f62d55c19edaeea573c2c96e787da055167 | — | |
hash9674da676ee226ee456d35c774715d9b58655423806f281de19dc9ef899e9532 | — | |
hash986d1d5270822af7d7744762ecd8fc4e9b2886c85b3660e9fdf0b5906d6c4117 | — | |
hashb12b743d4ecc0fe7320b6c1533e2a60bb89f94ca39a5be37143e7af27daacf04 | — | |
hashbbeb74e6af12536ecb6761a65ed893fbddd1b86a17cd4a61b616e5fc6106ec9a | — | |
hashbe4fcf88a287f783a3d199e889f9f088f77338eafe0dce70a38ade01192fb223 | — | |
hashc7159e589e29f9c866cc9983839ae9c9a1457df542a2dcd5103baf38636e08fd | — | |
hashc92740b6b90582a4bf73fef979ca047b9e6ae432e892a97f71e70b45c09e478e | — | |
hashca9639f7db6c3d1b37a004493f44aaa4e1282ea9333bc8ca5eac5d263d899e6a | — | |
hashcc041def6013da331f025e12f21f43677cea08073018d6be037f15a343a9cc24 | — | |
hashe2a95dd038a153dfb463c94554912f992cd04cf0f420552a95f4aea3d6f31e18 | — | |
hashec494785f243f5f1b516b31d8455fadafe5495e11d47a5ce2bd50b1b3791fec6 | — | |
hashfbf9a87d351ef702d87e0cd9e0148baa44c6d619f50fbf91d79a1c5e37719a77 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip104.239.66.86 | — |
Threat ID: 6a59782068715ace4305c175
Added to database: 07/17/2026, 00:32:32 UTC
Last enriched: 07/17/2026, 00:49:12 UTC
Last updated: 07/17/2026, 03:39:56 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.