SHADOW#REACTOR: Multi-Stage Remcos RAT Hits Enterprises

Security researchers at Securonix have disclosed an active malware campaign they call SHADOW#REACTOR, delivering the Remcos remote access trojan through a sophisticated multi-stage attack chain designed to frustrate analysis and evade detection. The campaign targets enterprises and small-to-medium businesses with what researchers describe as an "actively maintained and modular loader framework."

Attack Chain Breakdown

The infection begins with socially engineered lures that trick users into running obfuscated Visual Basic scripts via wscript.exe. From there, the attack unfolds across multiple stages:

Stage 1: VBS Launcher The initial script executes a Base64-encoded PowerShell payload that downloads text-based payload fragments to the %TEMP% directory. Files are named with innocuous patterns like "qpwoe64.txt" or "qpwoe32.txt" depending on system architecture.

Stage 2: Self-Healing Mechanism The malware validates downloaded file integrity and re-downloads corrupted or incomplete fragments automatically. This resilience mechanism ensures successful infection even when network conditions interrupt the initial download.

Stage 3: Secondary PowerShell A script named "jdywa.ps1" constructs and executes the next stage, which loads a .NET Reactor-protected assembly containing anti-debugging and anti-VM checks.

Stage 4: LOLBin Abuse The loader abuses MSBuild.exe—a legitimate Windows tool—to execute the final Remcos RAT payload. This living-off-the-land technique helps the malware blend with normal system activity.

Evasion Techniques

SHADOW#REACTOR demonstrates considerable investment in detection avoidance. The operators use text-only intermediates, in-memory .NET Reactor loaders, and legitimate binary abuse specifically to frustrate antivirus products and sandbox analysis.

The fragmented, encoded payloads require in-memory reconstruction, meaning static file analysis won't reveal the true malicious functionality. By the time the final payload executes through MSBuild, traditional file-based detection has multiple opportunities to miss the threat.

This approach mirrors the ClickFix techniques we've covered previously, where attackers invest heavily in the delivery mechanism rather than the payload itself. The Lazarus group's fake job interview campaigns showed similar sophistication in social engineering combined with multi-stage execution.

Attribution and Intent

Securonix assesses the activity aligns with initial access broker (IAB) operations—threat actors who establish persistent access to victim networks and sell that access to ransomware operators or other criminal groups. No specific threat group attribution has been established.

The broad, opportunistic targeting across enterprise and SMB environments supports the IAB assessment. These operators optimize for volume rather than targeting specific organizations, maximizing the number of accesses available for resale.

For context on how initial access feeds into the broader criminal ecosystem, our ransomware psychology analysis details how ransomware groups increasingly outsource the intrusion phase to specialized brokers.

Key Indicators

File Artifacts:

• win64.vbs (obfuscated VBS launcher)
• qpwoe64.txt / qpwoe32.txt (encoded payload fragments)
• jdywa.ps1 (secondary execution wrapper)

Behavioral Indicators:

• Wscript.exe spawning PowerShell
• PowerShell downloading text files to %TEMP%
• MSBuild.exe executing from unusual locations or with suspicious arguments

Defensive Recommendations

1. Monitor PowerShell execution - Log and alert on Base64-decoded commands and downloads to %TEMP%
2. Track MSBuild abuse - Baseline normal MSBuild usage and alert on anomalous patterns
3. Implement script controls - Consider restricting wscript.exe and cscript.exe execution
4. Deploy behavioral detection - Static signatures will struggle; focus on execution chain detection
5. Segment networks - Limit lateral movement opportunities if initial access succeeds

Remcos itself is a commodity RAT available for purchase online, so the sophistication here lies entirely in the delivery infrastructure. Organizations with robust email security and endpoint detection should review their coverage against these specific techniques.