{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/jscript/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["phishing","loader","jscript","lua","rat","infostealer","malware"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFortiGuard Labs has uncovered a widespread phishing campaign, dubbed \u0026quot;The TTF Trap,\u0026quot; that is actively deploying sophisticated malware, including Remote Access Trojans (RATs) and infostealers, by leveraging highly obfuscated JScript and custom Lua loaders. This global campaign utilizes deceptive tactics, often disguising malicious payloads as legitimate TrueType Font (.ttf) files, to evade detection. The threat actors behind this operation employ multiple layers of obfuscation and a low-detection Lua-based loading mechanism to ensure their malicious tools persist on compromised systems. The campaign, ongoing since at least July 2026, poses a significant risk to organizations worldwide, as successful compromises can lead to extensive data exfiltration, unauthorized system access, and further malicious activities without immediate detection.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003ePhishing emails or messages are sent to targets, containing malicious attachments or links to download files.\u003c/li\u003e\n\u003cli\u003eVictims download and execute what appears to be a legitimate file, often disguised as a TrueType Font (.ttf) file.\u003c/li\u003e\n\u003cli\u003eThe disguised file, which is actually an executable or script, deploys an initial obfuscated JScript payload.\u003c/li\u003e\n\u003cli\u003eThe JScript then executes a Lua loader, which is designed with low detection rates to bypass security mechanisms.\u003c/li\u003e\n\u003cli\u003eThe Lua loader establishes communication with attacker-controlled infrastructure to download additional malicious components.\u003c/li\u003e\n\u003cli\u003eFinal payloads, including Remote Access Trojans (RATs) and infostealers, are downloaded and executed on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe RATs enable full remote control, while infostealers exfiltrate sensitive data such as credentials, financial information, and personal files.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful attacks from this global phishing campaign result in severe consequences for targeted organizations and individuals. Victims may experience unauthorized remote access to their systems via RATs, leading to complete system compromise, intellectual property theft, and potential lateral movement across networks. Infostealers deployed in this campaign are designed to exfiltrate sensitive data, including login credentials, banking details, and other confidential information, which can be used for financial fraud, identity theft, or sold on dark web marketplaces. The low-detection nature of the Lua loader also means that compromises can remain undetected for extended periods, maximizing the damage and enabling prolonged espionage or data theft.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable comprehensive logging for script execution, especially for JScript and VBScript, on all endpoints to provide visibility into potential malicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions capable of behavioral analysis to identify suspicious process chains involving script interpreters (e.g., \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e) launching unusual child processes or making network connections.\u003c/li\u003e\n\u003cli\u003eEducate users on identifying and reporting phishing attempts, particularly those involving unexpected font files or script attachments, as initial access relies on user interaction.\u003c/li\u003e\n\u003cli\u003eImplement email gateway filters to block emails containing suspicious attachments, especially executable files disguised with common extensions like .ttf or .pdf, to prevent initial access.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual outbound connections from internal hosts to identify potential Command and Control (C2) communications by RATs and infostealers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T13:32:53Z","date_published":"2026-07-16T13:32:53Z","id":"https://feed.craftedsignal.io/briefs/2026-07-ttf-trap-lua-loader-campaign/","summary":"FortiGuard Labs identified a global phishing campaign employing obfuscated JScript, disguised TrueType Font (.ttf) files, and Lua loaders to deliver remote access Trojans (RATs) and infostealers to victims.","title":"The TTF Trap: Global Phishing Campaign Leverages Obfuscated JScript and Lua Loaders for RATs and Infostealers","url":"https://feed.craftedsignal.io/briefs/2026-07-ttf-trap-lua-loader-campaign/"}],"language":"en","title":"CraftedSignal Threat Feed - Jscript","version":"https://jsonfeed.org/version/1.1"}