A campaign using fake financial documents as bait delivers malware through a technique that hides malicious code inside ordinary image files, leaving nothing on the disk for security tools to find.
What happened
Security researchers have identified a phishing campaign delivering Remcos, a remote access trojan that gives attackers complete control over an infected device, through a multi-stage attack chain that operates entirely in memory and leaves no files on disk for antivirus tools to detect. According to Cyberpress, the campaign begins with a phishing email carrying a compressed archive disguised as a financial document, such as a tax notice or payment record. When the victim extracts and opens the archive, they find an executable file designed to appear as a legitimate application running quietly in the background. Behind that decoy, the malware uses steganography, the practice of hiding secret data inside ordinary files such as images to conceal its next-stage payload inside a standard image object. Rather than writing any malicious files to the hard drive, the malware extracts that hidden data and loads it directly into the computer's memory, where it assembles the components needed to install Remcos without triggering file-based security scans.
Going deeper
The attack chain runs through two intermediate loaders before the final payload activates, with each stage loaded in memory rather than saved to disk. Once Remcos is fully running, it injects itself into a legitimate browser process already running on the device, hiding its activity inside trusted software. The malware actively checks for virtual machine and sandbox environments used by security researchers to analyze suspicious files, and exits if it detects them, meaning automated analysis tools may see no malicious behavior at all. Remcos also adds itself to the system's startup configuration, so it survives a device reboot, and communicates with attacker-controlled servers over standard internet protocols to blend with normal web traffic. Its capabilities include stealing saved passwords and browser cookies, recording audio through the device's microphone, accessing the webcam, and logging which applications the user is actively working in. Researchers noted that the same distribution infrastructure appears to operate as a loader-as-a-service platform, meaning the same delivery network is also rented out to distribute other malware families, including Agent Tesla and Formbook.
What was said
Researchers stated in their analysis cited by Cyberpress that the campaign's modular design separates the attack into distinct stages specifically to defeat signature-based detection, and that the fileless execution approach means "the malware hides its next-stage payload within a bitmap object," reconstructing the entire attack chain in memory without writing files that security tools can scan. Researchers confirmed the infrastructure shows signs of operating as a commercial loader service available to multiple threat actors simultaneously.
In the know
Steganography-based malware delivery has been documented across multiple campaigns in 2025 and 2026. According to The Hacker News, a campaign documented in January 2026 similarly deployed Remcos through a multi-stage in-memory chain using obfuscated loaders and anti-analysis techniques, with researchers noting the combination of in-memory execution and legitimate process abuse "reflects a deliberate strategy to frustrate antivirus signatures, sandboxes, and rapid analyst triage." The use of the same final payload across multiple delivery campaigns confirms that Remcos itself remains a consistent target capability for threat actors who vary their delivery methods to stay ahead of detection updates.
The big picture
The entry point for this campaign is a phishing email carrying what appears to be a routine financial document. That is exactly the category of email that healthcare billing, compliance, and administrative staff receive and act on daily, including tax notices, payment confirmations, and invoice attachments. A staff member who opens a compressed archive from an unexpected sender and runs the file inside has set off an attack chain that leaves nothing detectable on disk and ends with an attacker watching their screen, recording their audio, and harvesting every saved password in their browser. According to Paubox's 2026 Healthcare Email Security Report, only 5% of known phishing attacks are reported by employees to security teams, meaning campaigns like this one can complete their full infection chain without generating any internal detection signal at the email layer.
FAQs
What is steganography, and why does hiding malware inside images defeat security tools?
Steganography is the practice of concealing data inside an ordinary file, such as an image, without visibly altering it. Security tools that scan files for known malicious code patterns look at the file's structure and content. An image file carrying hidden encoded data looks like a normal image to those scanners, so the concealed payload passes through without detection.
What does fileless execution mean, and why does it matter for endpoint security?
Fileless execution means the malware runs entirely within the computer's memory without ever saving its malicious components as files on the hard drive. Most endpoint security tools are built around scanning files. When there are no files to scan, those tools have nothing to flag, leaving behavioral monitoring of running processes as the primary detection option.
Why does injecting into a legitimate browser process help the malware stay hidden?
Security tools and system administrators monitoring running processes expect to see browser processes active on a device. Malicious code running inside a legitimate browser process inherits that process's trusted appearance, making it harder to distinguish from normal browser activity in process monitoring and network traffic logs.
What is a loader-as-a-service platform, and what does it mean for the threat landscape?
A loader-as-a-service platform is a commercial criminal service that rents out malware delivery infrastructure to multiple operators simultaneously. Different threat actors pay to use the same distribution network to deliver different final payloads. It means the same delivery technique documented in this campaign may be delivering different malware to different targets through the same infrastructure.
What email security practices reduce exposure to this type of attack?
Blocking compressed archive attachments from external senders that have not been explicitly whitelisted removes the primary delivery vector. Sandboxed email attachment detonation that opens files in an isolated environment before delivery can identify suspicious behavior even when no malicious files are written to disk. Training staff specifically to treat unexpected financial document attachments as high-risk, regardless of how routine the subject line appears, reduces the probability of the initial click.
