<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Loader - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/loader/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 16 Jul 2026 13:32:53 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/loader/feed.xml" rel="self" type="application/rss+xml"/><item><title>The TTF Trap: Global Phishing Campaign Leverages Obfuscated JScript and Lua Loaders for RATs and Infostealers</title><link>https://feed.craftedsignal.io/briefs/2026-07-ttf-trap-lua-loader-campaign/</link><pubDate>Thu, 16 Jul 2026 13:32:53 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-ttf-trap-lua-loader-campaign/</guid><description>FortiGuard Labs identified a global phishing campaign employing obfuscated JScript, disguised TrueType Font (.ttf) files, and Lua loaders to deliver remote access Trojans (RATs) and infostealers to victims.</description><content:encoded><![CDATA[<p>FortiGuard Labs has uncovered a widespread phishing campaign, dubbed &quot;The TTF Trap,&quot; that is actively deploying sophisticated malware, including Remote Access Trojans (RATs) and infostealers, by leveraging highly obfuscated JScript and custom Lua loaders. This global campaign utilizes deceptive tactics, often disguising malicious payloads as legitimate TrueType Font (.ttf) files, to evade detection. The threat actors behind this operation employ multiple layers of obfuscation and a low-detection Lua-based loading mechanism to ensure their malicious tools persist on compromised systems. The campaign, ongoing since at least July 2026, poses a significant risk to organizations worldwide, as successful compromises can lead to extensive data exfiltration, unauthorized system access, and further malicious activities without immediate detection.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Phishing emails or messages are sent to targets, containing malicious attachments or links to download files.</li>
<li>Victims download and execute what appears to be a legitimate file, often disguised as a TrueType Font (.ttf) file.</li>
<li>The disguised file, which is actually an executable or script, deploys an initial obfuscated JScript payload.</li>
<li>The JScript then executes a Lua loader, which is designed with low detection rates to bypass security mechanisms.</li>
<li>The Lua loader establishes communication with attacker-controlled infrastructure to download additional malicious components.</li>
<li>Final payloads, including Remote Access Trojans (RATs) and infostealers, are downloaded and executed on the compromised system.</li>
<li>The RATs enable full remote control, while infostealers exfiltrate sensitive data such as credentials, financial information, and personal files.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful attacks from this global phishing campaign result in severe consequences for targeted organizations and individuals. Victims may experience unauthorized remote access to their systems via RATs, leading to complete system compromise, intellectual property theft, and potential lateral movement across networks. Infostealers deployed in this campaign are designed to exfiltrate sensitive data, including login credentials, banking details, and other confidential information, which can be used for financial fraud, identity theft, or sold on dark web marketplaces. The low-detection nature of the Lua loader also means that compromises can remain undetected for extended periods, maximizing the damage and enabling prolonged espionage or data theft.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable comprehensive logging for script execution, especially for JScript and VBScript, on all endpoints to provide visibility into potential malicious activity.</li>
<li>Deploy endpoint detection and response (EDR) solutions capable of behavioral analysis to identify suspicious process chains involving script interpreters (e.g., <code>wscript.exe</code>, <code>cscript.exe</code>) launching unusual child processes or making network connections.</li>
<li>Educate users on identifying and reporting phishing attempts, particularly those involving unexpected font files or script attachments, as initial access relies on user interaction.</li>
<li>Implement email gateway filters to block emails containing suspicious attachments, especially executable files disguised with common extensions like .ttf or .pdf, to prevent initial access.</li>
<li>Monitor network traffic for unusual outbound connections from internal hosts to identify potential Command and Control (C2) communications by RATs and infostealers.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>phishing</category><category>loader</category><category>jscript</category><category>lua</category><category>rat</category><category>infostealer</category><category>malware</category></item></channel></rss>