Malware Disguised as Font Files Targets Windows Users
A global phishing campaign uses fake font files to deploy credential-stealing malware.

Key points
- Global phishing campaign began in March 2026, using fake font files.
- Malware targets include Agent Tesla, Remcos, XWorm, and Best Private LOGGER.
- Attackers use phishing emails impersonating well-known companies.
A new phishing campaign is using a deceptive technique to deliver malware to Windows users. Researchers at Fortinet's FortiGuard Labs discovered that criminals are disguising malware as ordinary TrueType Font (TTF) files, which are used by computers to display text properly. This approach has allowed them to evade detection and steal credentials from affected systems.
The campaign has been active since at least March 2026, deploying malware like Agent Tesla, Remcos, XWorm, and Best Private LOGGER. These programs are designed to steal passwords, monitor user activity, and give remote access to the attackers.
Fake font files are just one piece of this puzzle. The attackers first send phishing emails pretending to be from well-known companies. These emails often have themes of business cooperation or payments, enticing recipients to open attached files. Once opened, these attachments run a series of hidden scripts, including a Lua-based loader disguised as a TTF file. This loader then decrypts and executes the malware directly in the computer’s memory.
How did the hackers get in?
Phishing emails were the entry point in these attacks. The criminals impersonated reputable companies, tricking users into downloading files that appeared legitimate. Once a victim opened the attachment, the malware chain started, disguising its actions to avoid detection.
Shane Barney from Keeper Security explains that even the most complex evasion techniques begin with a simple action: someone opens an email that seems legitimate. This underscores the need for vigilance in identifying suspicious emails before they can cause harm.
The malware employs several techniques to avoid detection, such as segmented encryption and bypassing security measures like AMSI, which is a Windows feature that scans scripts for malicious activity. Each component of the attack may seem harmless on its own, but together they enable the malware to operate unnoticed.
For organizations, the focus should be on strengthening security controls and limiting what credentials can access. Jason Soroko from Sectigo advises that organizations restrict unnecessary tools like Windows Script Host and monitor for suspicious behaviors such as process injection and remote memory allocation.
Victims should be alert to unexpected emails, especially those claiming to be business-related. Regular updates and security checks are crucial to catch evolving threats like this one.



