Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access.
“The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host,” Securonix researchers Akshay Gaikwad, Shikha Sangwan, and Aaron Beardslee said in a technical report shared with The Hacker News.
“These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system.”
The activity is assessed to be broad and opportunistic, primarily targeting enterprise and small-to-medium business environments. The tooling and tradecraft align with typical initial access brokers, who obtain footholds to target environments and sell them off to other actors for financial gain. That said, there is no evidence to attribute it to a known threat group.
The most unusual aspect of the campaign is the reliance on intermediate text-only stagers, coupled with the use of PowerShell for in-memory reconstruction and a .NET Reactor–protected reflective loader, to unpack subsequent phases of the attack with an aim to complicate detection and analysis efforts.
The infection sequence begins with the retrieval and execution of an obfuscated Visual Basic Script (“win64.vbs”) that’s likely triggered by means of user interaction, such as clicking on a link delivered via socially engineered lures. The script, run using “wscript.exe,” functions as a lightweight launcher for a Base64-encoded PowerShell payload.
The PowerShell script subsequently employs System.Net.WebClient to communicate with the same server used to fetch the VBS file and drop a text-based payload named “qpwoe64.txt” (or “qpwoe32.txt” for 32-bit systems) in the machine’s %TEMP% directory.
“The script then enters a loop where it validates the file’s existence and size,” Securonix explained. “If the file is missing or below the configured length threshold (minLength), the stager pauses execution and re-downloads the content. If the threshold is not met within the defined timeout window (maxWait), execution proceeds without terminating, preventing chain failure.”
“This mechanism ensures that incomplete or corrupted payload fragments do not immediately disrupt execution, reinforcing the campaign’s self-healing design.”
Should the text file meet the relevant criteria, it proceeds to construct a second secondary PowerShell script (“jdywa.ps1”) in the %TEMP% directory, which invokes a .NET Reactor Loader that’s responsible for establishing persistence, retrieving the next-stage malware, and incorporating various anti-debugging and anti-VM checks to fly under the radar.
The loader ultimately launches the Remcos RAT malware on the compromised host using a legitimate Microsoft Windows process, “MSBuild.exe.” Also dropped over the course of the attack are execution wrapper scripts to re-trigger the execution of “win64.vbs” using “wscript.exe.”
“Taken together, these behaviors indicate an actively maintained and modular loader framework designed to keep the Remcos payload portable, resilient, and difficult to statically classify,” the researchers noted. “The combination of text-only intermediates, in-memory .NET Reactor loaders, and LOLBin abuse reflects a deliberate strategy to frustrate antivirus signatures, sandboxes, and rapid analyst triage.”
