"Malware Disguised as a Font: The New Wave of Lua Loaders That Fool Antivirus"
July 16, 2026 · 4 min read · Intelliway Team

A recent analysis of phishing campaigns revealed something that should worry any security team still relying on lists of "safe" extensions: attackers are packaging malicious payloads inside files with a .ttf extension, the format used by Windows typographic fonts. The result is an infection chain that goes unnoticed by most traditional antivirus software and reaches users in dozens of countries, delivering everything from RATs (Remote Access Trojans) to full-featured infostealers.
This isn't the first time criminals have abused file formats considered harmless to slip past filters. But the engineering behind this particular campaign deserves attention because it combines three layers of obfuscation that, together, drastically reduce the detection rate: extension disguise, a heavily obfuscated script, and a loader written in Lua, a language rarely seen in malware and therefore poorly covered by EDR and antivirus signatures.
How the disguise works
It starts with a phishing email carrying an attachment or link that delivers a .ttf file. At first glance, any junior analyst would dismiss the alert: fonts don't execute code, right? The problem is that the file's actual content isn't a valid font at all. It's a container that loads a heavily obfuscated JScript script, hidden in such a way that static analysis tools struggle to extract readable strings or identify known patterns.
Once executed, this JScript doesn't download the final malware directly. Instead, it decodes and initializes a loader written in Lua, a lightweight, embeddable scripting language historically associated with games and automation, not attacks. This choice isn't accidental: signature-based detection engines have far more robust knowledge bases for PowerShell, VBScript, and batch than for Lua. The loader then fetches the final payload, which can vary between RAT and infostealer families depending on the campaign and the target.
Why the detection rate is so low
Three factors explain why this chain survives so many controls:
- Deceptive extension: email filters and content gateways often have more permissive rules for font files than for executables, scripts, or macros.
- Layered obfuscation: each stage (JScript, then Lua) requires a specific decoder, which multiplies the reverse-engineering effort and delays signature creation.
- Under-monitored language: endpoint security solutions are optimized for the scripting languages most commonly seen in documented attacks. Lua stays off the radar of most out-of-the-box rules.
The practical effect is that this campaign can operate globally, with no specific geographic focus, hitting organizations across various sectors precisely because it doesn't rely on zero-day vulnerability exploitation: it relies on detection evasion and on a user clicking an attachment that looks legitimate.
What this means for companies in Brazil
This type of attack reinforces a point we've already discussed here about the importance of detection fidelity: rules based solely on signatures or file extensions are no longer enough. Security teams need behavioral visibility, able to identify when a seemingly harmless process (like a "font file" being processed) kicks off a script execution chain, spawns unusual processes, or opens network connections to unexpected destinations.
This requires three combined capabilities:
- Behavioral detection on the endpoint, not just static signatures.
- Real-time event correlation, to identify the full anomalous sequence (attachment opening, script execution, unusual interpreter call, external connection).
- Up-to-date threat intelligence, to recognize indicators of compromise associated with emerging campaigns before they spread internally.
This is exactly the kind of scenario that justifies running a SOC with continuous monitoring and AI-driven analysis. At Intelliway's SOC and MDR, ISA Cyber AI agents correlate endpoint, network, and email telemetry in real time, reducing the time between the execution of an attack stage and containment, even when the initial payload uses evasion techniques like the ones described here. The advantage of an AI-Driven SOC in this context isn't replacing the analyst, but giving them visibility into behavioral patterns that a traditional signature would never catch, such as a font-rendering process calling a script interpreter.
Beyond detection, it's worth reinforcing the intelligence layer: continuously tracking indicators from evolving campaigns, including hashes, C2 domains, and specific tactics like this JScript-plus-Lua combination, allows blocking rules to be updated before the phishing email even reaches the inbox. That's the role Threat Intelligence plays within a mature defense operation.
Practical recommendations
To reduce exposure to this type of campaign, a few concrete measures help immediately:
- Strengthen email filters to inspect the actual content of attachments, not just the declared extension.
- Block or closely monitor the execution of unusual interpreters (Lua, custom scripts) on corporate workstations.
- Enable detailed logging of child processes spawned by document and font viewing applications.
- Train the incident response team to recognize indicators of this specific chain: a font extension followed by script execution.
- Validate, through targeted penetration testing, whether your current controls would detect a multi-stage infection chain like this one.
Campaigns like this show that offensive creativity keeps evolving, and that relying solely on static controls is a losing bet in the medium term. Defense needs to be just as dynamic as the attack.
If your team wants to assess its detection maturity against evasion techniques like these, contact Intelliway at /empresa#contato.
