Ethical Hacking News
A new malware campaign has been identified that leverages an intricate multi-stage attack chain to deliver the Remcos RAT. The campaign, dubbed SHADOW#REACTOR, employs intermediate text-only stages, in-memory .NET Reactor loaders, and Living Off the Land tactics to evade detection. This highlights the evolving nature of malware campaigns and the need for organizations to stay vigilant in protecting their systems from sophisticated attacks.
The SHADOW#REACTOR malware campaign uses a multi-stage attack chain to deliver the Remcos RAT.The campaign employs intermediate text-only stages, in-memory .NET Reactor loaders, and Living Off the Land (LOLBin) tactics to evade detection.The attack sequence begins with an obfuscated Visual Basic Script executed via "wscript.exe."The script drops a text-based payload in the machine's %TEMP% directory and validates its existence and size.The campaign uses a .NET Reactor Loader to establish persistence, retrieve the next-stage malware, and incorporate anti-debugging and anti-VM checks.The tooling and tradecraft align with typical initial access brokers, who obtain footholds to target environments for financial gain.
A recent discovery by cybersecurity researchers has shed light on a novel malware campaign that leverages an intricate multi-stage attack chain to deliver the commercially available Remote Administration Tool (RAT) called Remcos. The campaign, dubbed SHADOW#REACTOR, is notable for its use of intermediate text-only stages, in-memory .NET Reactor loaders, and Living Off the Land (LOLBin) tactics to evade detection.
The researchers from Securonix have analyzed the attack sequence, which begins with the execution of an obfuscated Visual Basic Script ("win64.vbs") via "wscript.exe." This script functions as a lightweight launcher for a Base64-encoded PowerShell payload. The PowerShell script subsequently employs System.Net.WebClient to communicate with the same server used to fetch the VBS file and drop a text-based payload named "qpwoe64.txt" (or "qpwoe32.txt" for 32-bit systems) in the machine's %TEMP% directory.
The script then enters a loop where it validates the file's existence and size. If the file is missing or below the configured length threshold, the stager pauses execution and re-downloads the content. This mechanism ensures that incomplete or corrupted payload fragments do not immediately disrupt execution, reinforcing the campaign's self-healing design. Should the text file meet the relevant criteria, it proceeds to construct a secondary PowerShell script ("jdywa.ps1") in the %TEMP% directory.
This script invokes a .NET Reactor Loader that is responsible for establishing persistence, retrieving the next-stage malware, and incorporating various anti-debugging and anti-VM checks to fly under the radar. The loader ultimately launches the Remcos RAT malware on the compromised host using a legitimate Microsoft Windows process, "MSBuild.exe." Also dropped over the course of the attack are execution wrapper scripts to re-trigger the execution of "win64.vbs" using "wscript.exe."
The combination of text-only intermediates, in-memory .NET Reactor loaders, and LOLBin abuse reflects a deliberate strategy to frustrate antivirus signatures, sandboxes, and rapid analyst triage. The researchers have noted that the tooling and tradecraft align with typical initial access brokers, who obtain footholds to target environments and sell them off to other actors for financial gain.
The activity is assessed to be broad and opportunistic, primarily targeting enterprise and small-to-medium business environments. However, there is no evidence to attribute it to a known threat group. This highlights the evolving nature of malware campaigns and the need for organizations to stay vigilant in protecting their systems from sophisticated attacks.
The reliance on intermediate text-only stages, coupled with the use of PowerShell for in-memory reconstruction and .NET Reactor–protected reflective loaders, makes this campaign particularly noteworthy. The incorporation of LOLBin tactics also indicates a level of sophistication that may be difficult for some antivirus solutions to detect.
In conclusion, the SHADOW#REACTOR malware campaign serves as a stark reminder of the ongoing cat-and-mouse game between security researchers and malicious actors. As threat actors continue to evolve their tactics and tools, it is essential for organizations to stay informed and take proactive measures to protect themselves against such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-New-Malware-Campaign-Delivers-Remcos-RAT-through-a-Sophisticated-Multi-Stage-Windows-Attack-Implications-for-Enterprise-Security-ehn.shtml
https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
https://cybersecuritynews.com/hackers-exploits-windows-via-uac-bypass-technique-to-deploy-remcos-rat/
Published: Tue Jan 13 05:02:27 2026 by llama3.2 3B Q4_K_M
