SHADOW#REACTOR
SHADOW#REACTOR is a multi-stage Windows malware delivery framework and campaign identified by Securonix that is designed to deploy Remcos RAT on victim systems. It is described as an unattributed, likely financially motivated loader framework operating in a broad spray-and-pray model rather than a targeted intrusion. Securonix reported insufficient evidence to attribute the activity to a known threat group or state actor.
The infection chain relies on user interaction, such as clicking a malicious link or executing a malicious file, often via social engineering or compromised web resources. The initial stage uses an obfuscated VBS launcher executed through wscript.exe, which spawns PowerShell to download benign-looking text files containing fragmented payload components. Reported staging filenames include qpwoe32.txt, qpwoe64.txt, teste32.txt, teste64.txt, and config.txt. These text-based intermediates contain encoded payload material that is reconstructed and decoded in memory, including through a .NET Reactor-protected assembly. Later stages fetch and apply a remote Remcos configuration, and the chain abuses MSBuild.exe as a LOLBin to complete execution and deploy Remcos RAT.
The campaign is notable for its stealth-focused delivery chain rather than the final payload itself. It uses living-off-the-land techniques with native Windows tools including wscript.exe, PowerShell, and MSBuild.exe; fragmented text-only staging; reflective in-memory loading of reconstructed .NET assemblies; and process-chain obfuscation to minimize disk artifacts, complicate forensic analysis, and evade static detection and EDR. Reported behavioral indicators include the process chain wscript.exe -> powershell.exe -> msbuild.exe, unusual script execution, multiple PowerShell instances with extensive inline commands, and characteristic PowerShell/base64 decoding patterns. Securonix also reported that the same delivery chain could be repurposed to deliver malware other than Remcos RAT.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Post navigation Previous:SHADOW#REACTOR Malware Builds Remcos RAT via Text Files
A multi-stage, largely fileless loader framework that uses 'text-only intermediates' (benign-looking text files containing fragmented payload components) and in-memory reconstruction/decoding (including a .NET Reactor-protected assembly) plus LOLBin abuse (MSBuild.exe) to ultimately deploy Remcos RAT while evading static detection and complicating forensics.
A multi-stage Windows malware campaign/loader that uses obfuscated VBS, PowerShell, fragmented text-based payloads, a .NET Reactor-protected assembly, and MSBuild.exe to reconstruct and deploy a final payload in memory while evading detection.
A multi-stage Windows loader/stager that uses an obfuscated VBS-to-PowerShell execution chain to download base64-encoded payload fragments stored as plain text files, reconstructs them into .NET assemblies, and loads them in-memory (reflective loading) to evade static detection and EDR.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.