Cyber Attack

HoeflerText Popups Targets Chrome and Firefox Browsers To Push RAT and Locky Ransomware

Sharing is caring!

Last week security researcher Brad Duncan found different compaign to push NetSupport Manager remote access tool (RAT) and Locky ransomware using HoeflerText Popups. This is targeting to Google chrome and Firfox Users.

According ot Brad Ducan, malspam had links to fake Dropbox pages. If you viewed the pages in Chrome or Firefox, they showed a fake notification stating you don’t have the HoeflerText font. These fake notifications had an “update” button that returned a malicious JavaScript (.js) file.

These .js files were disguised as a font library. He was unable to get any malware when using Internet Explorer or Microsoft Edge.

In another case, he said a Chrome HoeflerText font update delivers the file “Font_Chrome.exe” file. When It executes, it retrieves malware that installs a NetSupport Manager RAT.


In all cases victims are lured to a booby-trapped website that generates a bogus popup message informing the user the webpage they are trying to view cannot display correctly because the browser is missing the correct “HoeflerText” font .

Ransomware is still a serious threat, and it remains the largest category of malware we see on a daily basis from mass-distribution campaigns.

Users should be aware of this ongoing threat. Be suspicious of popup messages in Google Chrome that state: The “HoeflerText” font wasn’t found. Since this is a RAT, infected users will probably not notice any change in their day-to-day computer use. If the NetSupport Manager RAT is found on your Windows host, it is probably related to a malware infection.

Users are advised to disable popup from unknown sources and do not click any untrusted link.

Join The Discussion