Security researchers have identified a new malware operation, tracked as SHADOW#REACTOR, that uses a carefully layered infection process to install Remcos RAT, a commercially available remote access trojan widely abused by cybercriminals.
The campaign relies on a stealthy, multi-step execution chain designed to evade detection while establishing long-term remote control over infected systems. According to researchers at Securonix, the attack blends script-based launchers, in-memory execution, and trusted Windows tools to quietly deploy the final payload.
How the Attack Works
The infection typically begins with an obfuscated Visual Basic Script that is executed through wscript.exe, often triggered by user interaction such as clicking a malicious link or attachment delivered through social engineering. This script serves as a lightweight launcher rather than delivering malware directly.
Once executed, the VBS file calls a PowerShell command that downloads additional components from a remote server. Instead of retrieving a traditional executable, the attacker delivers fragmented, text-based payloads that are saved temporarily on the system.
These fragments are repeatedly checked for completeness and size. If the downloaded content is missing or incomplete, the script pauses and retries rather than failing outright. This self-repair logic allows the infection chain to continue even in unstable network conditions, making the campaign more resilient.
When the payload meets the required conditions, a secondary PowerShell script is generated. This script activates a reflective loader protected by .NET Reactor, which decodes and assembles the next stage entirely in memory. This approach reduces the number of artifacts written to disk and complicates forensic analysis.
Living Off the Land to Stay Hidden
In the final stage, the loader abuses MSBuild.exe, a legitimate Microsoft Windows utility, to execute the Remcos RAT. By relying on a trusted system binary, the malware blends into normal activity and avoids raising immediate alarms from security tools.
Additional helper scripts are dropped to ensure persistence, allowing the original VBS launcher to be re-executed automatically if needed. Once fully deployed, Remcos provides attackers with covert remote access, enabling surveillance, command execution, and data theft.
Targeting and Intent
The campaign appears to be opportunistic, with activity observed across enterprise environments and small-to-medium businesses. The techniques and tooling suggest alignment with initial access brokers, actors who specialize in gaining footholds in networks and selling that access to other criminal groups. At this time, the activity has not been linked to a known threat actor.
What makes SHADOW#REACTOR stand out is its reliance on text-only intermediate stages, in-memory reconstruction, and heavy use of trusted system components. This modular design helps the malware avoid signature-based detection, sandbox analysis, and quick triage by defenders.
Why It Matters
SHADOW#REACTOR highlights how modern malware campaigns are evolving. Rather than introducing entirely new tools, attackers are refining delivery techniques to make existing payloads more portable, durable, and difficult to analyze. The combination of script abuse, memory-only execution, and legitimate binaries underscores the growing challenge for endpoint security teams.
Defenders should closely monitor script execution, PowerShell activity, and unusual use of development utilities like MSBuild, especially in environments where such tools are not routinely required.