SHADOW#REACTOR Malware Delivers Remcos RAT via Multi-Stage Windows Attack

Cybersecurity researchers have uncovered a new malware campaign, dubbed SHADOW#REACTOR, that leverages a highly evasive, multi-stage Windows attack chain to deploy Remcos RAT, a commercially available remote administration tool commonly abused by threat actors. The campaign demonstrates advanced tradecraft, combining script-based loaders, in-memory execution, and legitimate Windows binaries to bypass traditional security defenses.

According to a technical analysis published by Securonix, the attack relies on a carefully orchestrated execution flow designed to complicate detection and forensic analysis. While the campaign has not been attributed to any known threat group, its tactics strongly resemble those used by initial access brokers (IABs), who gain unauthorized access to systems and sell that access to other cybercriminals.

How the SHADOW#REACTOR Infection Chain Works

The start of the infection process is a user activity, most often through a socially engineered bait like a malicious link or attachment. A masked Visual Basic Script file (VBS)—often called win64.vbs—is executed with wscript.exe, which is a legitimate Windows scripting host, once the trap is sprung.

The VBS launcher serves as the first level of processing, straightening out and executing a Base64-encoded PowerShell payload. The PowerShell script then reaches out to the same remote server to obtain a text-based payload, which is stored in the system’s %TEMP% directory either as qpwoe64.txt or qpwoe32.txt, based on the architecture of the system.

Self-Healing Payload Delivery for Reliability

One of the remarkable parts of this campaign is its robust and self-repairing architecture. The PowerShell script constantly verifies if the text file that was downloaded exists and if it is of the predefined size or not. The script will then stop and try to download again if the file is not there, is partly downloaded or is corrupted.

Moreover, even if the payload does not qualify under the size condition during the time limit given, the chain of execution will not be cut off immediately. This kind of operation makes it possible that the process of infection is not disrupted thereby making the campaign more reliable overall, even through small network failures or incomplete downloads.

In-Memory Execution and .NET Reactor Protection

As soon as the payload fulfills the necessary criteria, the malware creates a second PowerShell script on the fly, the name of which is usually jdywa.ps1. This script is the one that starts a .NET Reactor–protected loader, which is the main part of the attack.

The loader is exclusively operating in memory, thereby eliminating any disk-based traces that might alert antivirus systems. Besides, it has anti-debugging and anti-virtual machine checks built into it, which allow the malware to stay hidden from the sandbox environments of security researchers and automated defenses that are often used.

Then, the loader goes on to set up persistence, pulls the last malware payload, and readies the system for a long-term takeover.

Abuse of MSBuild.exe to Deploy Remcos RAT

During the last stage, SHADOW#REACTOR misuses MSBuild.exe, a fully authorized Microsoft Windows tool, to deploy the Remcos RAT virus. This method, referred to as Living-off-the-Land Binary (LOLBin) abuse, allows the intruders to mask their wrongful deeds as legitimate activities and thus, increase their chances of avoiding detection drastically.

Besides, there are other wrapper scripts that are to be dropped to make sure that win64.vbs could be executed again, thus making the infected machine more persistent.

After the installation, Remcos RAT allows hackers to have total control over the remote machine, which includes the capabilities to log keystrokes, take screenshots, execute commands, and even steal data.

Who Is Being Targeted?

The campaign appears to be broad and opportunistic, targeting both enterprise environments and small-to-medium businesses (SMBs). The modular nature of the loader framework suggests it is actively maintained and adaptable, making it an attractive toolset for cybercriminals seeking scalable access to compromised networks.

Why This Campaign Matters

The SHADOW#REACTOR campaign displays a new trend in the modern malware industry, which is using text-only intermediates, in-memory loaders, and trusted Windows binaries for the purpose of evading detection. The use of VBS, PowerShell, .NET loaders, and LOLBins in a sequence by the hackers has made it very difficult for them to be detected by static signatures and automatic analysis tools.

It is recommended that the security teams watch very carefully for any suspicious script executions, PowerShell activities, and strange usages of MSBuild.exe, while at the same time educating users in order to mitigate the risk of initial compromise via social engineering.