A multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, has been analyzed by cybersecurity researchers, revealing a complex infection chain designed to stealthily deploy the Remcos remote access Trojan.
The campaign, discovered by the Securonix Threat Research team, relies on a sequence of scripts and in-memory loaders that abuse legitimate Windows tools to evade detection while maintaining persistence.
The attack begins with the execution of an obfuscated Visual Basic Script (VBS) launched via wscript.exe. This initial script does little more than hand off execution. It constructs and runs a heavily encoded PowerShell command in memory, avoiding obvious malicious indicators on disk.
From there, PowerShell retrieves a series of payload fragments hosted on a remote server and reconstructs them into executable components.
Instead of downloading executable files directly, however, the attackers rely on text files that contain encoded payloads, which are repeatedly fetched until they meet size thresholds. This design helps ensure reliability while complicating static analysis and sandboxing.
Once the text payloads are reconstructed, they are decoded and loaded in memory by a .NET assembly protected with .NET Reactor, a commercial code protection tool often repurposed by threat actors.
This loader orchestrates subsequent stages, cleans up artifacts and optionally performs anti-analysis checks.
It ultimately retrieves configuration data and hands off execution using MSBuild.exe, a trusted Microsoft-signed binary abused as a living-off-the-land (LOL) tool.
Read more on remote access Trojans: Malware Analysis Reveals Sophisticated RAT With Corrupted Headers
Final Payload: Remcos RAT
Analysis confirms the final payload is Remcos RAT, a commercially available remote administration tool frequently used for malicious purposes.
Delivered via an encrypted configuration blob, Remcos grants full remote control of infected systems, including file access, command execution and optional surveillance features. In this campaign, it is deployed through a far more elaborate loader than is typically observed.
The findings indicate an actively maintained, modular framework aimed at broad, opportunistic targeting.
“To detect and disrupt campaigns of this nature, defenders should prioritize visibility into script-based execution paths […] as well as outbound HTTP activity originating from scripting engines to untrusted infrastructure,” Securonix wrote.
The company attributes the research to its threat analysis team, noting there is currently insufficient evidence to link SHADOW#REACTOR to a specific threat group or nation-state actor.
“Additional focus on reflective .NET loading, text-based staging patterns, and LOLBAS abuse […] will materially improve the likelihood of identifying these threats before the final Remcos payload is fully deployed and operational.”
Image credit: ssi77 / Shutterstock.com
