Cybersecuritymalwarephishingthreat detection

"Malware Disguised as a Font: The New Wave of Lua Loaders That Fool Antivirus"

July 16, 2026 · 4 min read · Intelliway Team

"Malware Disguised as a Font: The New Wave of Lua Loaders That Fool Antivirus"

A recent analysis of phishing campaigns revealed something that should worry any security team still relying on lists of "safe" extensions: attackers are packaging malicious payloads inside files with a .ttf extension, the format used by Windows typographic fonts. The result is an infection chain that goes unnoticed by most traditional antivirus software and reaches users in dozens of countries, delivering everything from RATs (Remote Access Trojans) to full-featured infostealers.

This isn't the first time criminals have abused file formats considered harmless to slip past filters. But the engineering behind this particular campaign deserves attention because it combines three layers of obfuscation that, together, drastically reduce the detection rate: extension disguise, a heavily obfuscated script, and a loader written in Lua, a language rarely seen in malware and therefore poorly covered by EDR and antivirus signatures.

How the disguise works

It starts with a phishing email carrying an attachment or link that delivers a .ttf file. At first glance, any junior analyst would dismiss the alert: fonts don't execute code, right? The problem is that the file's actual content isn't a valid font at all. It's a container that loads a heavily obfuscated JScript script, hidden in such a way that static analysis tools struggle to extract readable strings or identify known patterns.

Once executed, this JScript doesn't download the final malware directly. Instead, it decodes and initializes a loader written in Lua, a lightweight, embeddable scripting language historically associated with games and automation, not attacks. This choice isn't accidental: signature-based detection engines have far more robust knowledge bases for PowerShell, VBScript, and batch than for Lua. The loader then fetches the final payload, which can vary between RAT and infostealer families depending on the campaign and the target.

Why the detection rate is so low

Three factors explain why this chain survives so many controls:

The practical effect is that this campaign can operate globally, with no specific geographic focus, hitting organizations across various sectors precisely because it doesn't rely on zero-day vulnerability exploitation: it relies on detection evasion and on a user clicking an attachment that looks legitimate.

What this means for companies in Brazil

This type of attack reinforces a point we've already discussed here about the importance of detection fidelity: rules based solely on signatures or file extensions are no longer enough. Security teams need behavioral visibility, able to identify when a seemingly harmless process (like a "font file" being processed) kicks off a script execution chain, spawns unusual processes, or opens network connections to unexpected destinations.

This requires three combined capabilities:

  1. Behavioral detection on the endpoint, not just static signatures.
  2. Real-time event correlation, to identify the full anomalous sequence (attachment opening, script execution, unusual interpreter call, external connection).
  3. Up-to-date threat intelligence, to recognize indicators of compromise associated with emerging campaigns before they spread internally.

This is exactly the kind of scenario that justifies running a SOC with continuous monitoring and AI-driven analysis. At Intelliway's SOC and MDR, ISA Cyber AI agents correlate endpoint, network, and email telemetry in real time, reducing the time between the execution of an attack stage and containment, even when the initial payload uses evasion techniques like the ones described here. The advantage of an AI-Driven SOC in this context isn't replacing the analyst, but giving them visibility into behavioral patterns that a traditional signature would never catch, such as a font-rendering process calling a script interpreter.

Beyond detection, it's worth reinforcing the intelligence layer: continuously tracking indicators from evolving campaigns, including hashes, C2 domains, and specific tactics like this JScript-plus-Lua combination, allows blocking rules to be updated before the phishing email even reaches the inbox. That's the role Threat Intelligence plays within a mature defense operation.

Practical recommendations

To reduce exposure to this type of campaign, a few concrete measures help immediately:

Campaigns like this show that offensive creativity keeps evolving, and that relying solely on static controls is a losing bet in the medium term. Defense needs to be just as dynamic as the attack.

If your team wants to assess its detection maturity against evasion techniques like these, contact Intelliway at /empresa#contato.

Sources and further reading

Read also

Want to apply this in your business?

Talk to Intelliway's Cyber and AI specialists.

Book a conversation
"Malware Disguised as a Font: The New Wave of Lua Loaders That Fool Antivirus" | Intelliway