SHADOW#REACTOR Campaign: Delivering Remcos RAT via Multi‑Stage Windows Attack

January 13, 2026 Faeem BLOGS 0

Researchers have uncovered a new malware campaign dubbed SHADOW#REACTOR, which uses a multi‑stage, evasive attack chain to deploy the Remcos RAT (Remote Access Trojan). This campaign demonstrates advanced techniques designed to bypass detection and establish persistent covert access in enterprise and SMB environments.

Infection Chain Breakdown

  1. Initial Stage – VBS Launcher
    • Obfuscated Visual Basic Script (win64.vbs) executed via wscript.exe.
    • Likely delivered through social engineering lures (malicious links).
    • Acts as a lightweight launcher for a Base64‑encoded PowerShell payload.
  2. Payload Retrieval – PowerShell Downloader
    • Uses System.Net.WebClient to fetch text‑based payload fragments (qpwoe64.txt / qpwoe32.txt).
    • Stored in %TEMP% directory.
    • Implements a self‑healing loop: re‑downloads fragments until size/length thresholds are met.
  3. Intermediate Stage – Text‑Only Stagers
    • Payload fragments reconstructed into encoded loaders.
    • Decoded in memory by a .NET Reactor‑protected assembly.
    • Designed to frustrate static analysis and antivirus signatures.
  4. Persistence & Loader Execution
    • Secondary PowerShell script (jdywa.ps1) invokes a reflective .NET Reactor loader.
    • Loader applies anti‑debugging and anti‑VM checks.
    • Establishes persistence and retrieves next‑stage malware.
  5. Final Stage – Remcos RAT Deployment
    • Uses MSBuild.exe (a legitimate Windows LOLBin) to launch Remcos RAT.
    • Execution wrapper scripts re‑trigger win64.vbs for resilience.
    • RAT provides full remote access and control of the compromised system.

Key Features of SHADOW#REACTOR

  • Text‑only intermediates: Payload fragments disguised as harmless text files.
  • In‑memory reconstruction: Avoids writing full malware binaries to disk.
  • LOLBin abuse: Leverages trusted Windows processes (MSBuild.exe) to evade detection.
  • Self‑healing design: Ensures incomplete payloads don’t break execution chain.
  • Commercial RAT: Remcos RAT is widely available, often used by initial access brokers.

Impact & Threat Landscape

  • Targets: Broad and opportunistic—enterprise and SMB environments.
  • Actors: Likely initial access brokers, selling footholds to other threat groups.
  • Risks:
    • Persistent remote access.
    • Credential theft.
    • Data exfiltration.
    • Potential resale of compromised environments for ransomware or espionage.

Defensive Recommendations

  • Detection:
    • Monitor for suspicious use of wscript.exe, PowerShell, and MSBuild.exe.
    • Flag unusual text files in %TEMP% directories.
  • Prevention:
    • Harden email security to block malicious attachments/links.
    • Restrict LOLBin execution where possible.
  • Response:
    • Hunt for persistence mechanisms (scheduled tasks, registry entries).
    • Investigate signs of Remcos RAT activity (C2 traffic, credential access attempts).

Takeaway

SHADOW#REACTOR exemplifies modern modular loader frameworks: stealthy, resilient, and designed to bypass traditional defenses. By combining text‑only stagers, in‑memory loaders, and LOLBin abuse, attackers can deliver Remcos RAT with minimal forensic footprint, complicating detection and incident response.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.