Shadow#Reactor Multi-Stage Windows Malware Delivers Remcos RAT via Text-Based Payload Fragments
Security researchers reported a multi-stage Windows malware campaign dubbed Shadow#Reactor (SHADOW#REACTOR) that uses a VBScript launcher and PowerShell to retrieve fragmented, text-only payloads from remote infrastructure, then reconstructs and executes them to ultimately deploy Remcos RAT. The infection chain relies on user interaction (e.g., phishing/social-engineering lures or compromised web resources) to execute an obfuscated .vbs file via Windows Script Host, after which staged PowerShell downloaders pull encoded payload pieces that are stored as plain text to reduce the likelihood of traditional binary-based detections.
Securonix analysis (as reported in both trade and vendor writeups) describes a modular handoff between stages, including obfuscation layers, base64 decoding patterns, and integrity/size checks to ensure successful reassembly of the final components. The technique emphasizes living-off-the-land execution and flexible staging (allowing attackers to update individual stages independently), with reconstruction activity leveraging legitimate tooling (e.g., MSBuild noted in reporting) before in-memory decoding and retrieval of the final Remcos payload; defenders should treat unusual chains of wscript.exe/cscript.exe spawning PowerShell and subsequent staged text retrieval/reassembly as high-signal behavior for investigation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Securonix assesses campaign as broad, opportunistic, and unattributed
Researchers said the activity appears to target enterprises and SMBs in a broad 'spray-and-pray' manner consistent with financially motivated operators or possible initial access broker activity. They also stated there was insufficient evidence to attribute the campaign to a known threat actor.
Researchers detail fileless, text-based staging and LOLBin abuse
Technical analysis showed the malware reconstructs payload components from benign-looking text files, decodes .NET assemblies in memory, and uses legitimate Windows tools such as wscript.exe, PowerShell, and MSBuild.exe to reduce on-disk artifacts and evade detection. Securonix also linked the final payload to Remcos RAT through infrastructure tracing and payload signature matching.
Securonix identifies SHADOW#REACTOR delivering Remcos RAT
Securonix researchers reported a newly identified multi-stage Windows malware campaign dubbed SHADOW#REACTOR. The campaign uses an obfuscated VBS launcher, PowerShell, and text-based payload fragments retrieved from remote infrastructure to ultimately deploy Remcos RAT.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
SHADOW#REACTOR Malware Builds Remcos RAT via Text Files
securityonline.info
Open sourceSHADOW#REACTOR campaign leverages evasive tactics to deploy Remcos RAT | SC Media
scworld.com
Open sourceMulti-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host
cybersecuritynews.com
Open sourceShadow#Reactor Uses Text Files to Deliver Remcos RAT
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Deliver Remcos RAT via Obfuscated Scripts and Trusted Services
Researchers reported multiple **Remcos RAT** campaigns using phishing emails and trusted infrastructure to infect victims while evading detection. In one intrusion chain, a ZIP attachment named `MV MERKET COOPER SPECIFICATION.zip` delivered an obfuscated JavaScript file that fetched a PowerShell loader from `almacensantangel[.]com`; the loader then reconstructed and decrypted payloads in memory, including `ALTERNATE.dll` and `Cqeqpvzeia.exe`. The malware injected into the legitimate Microsoft .NET utility `aspnet_compiler.exe`, communicated with `192[.]3[.]27[.]141:8087`, and stored captured keystrokes and other data in `C:\ProgramData\remcos\logs.dat`, leaving few disk artifacts. A separate campaign used phishing emails that linked to a fake Google Drive sharing page hosted through **Google Cloud Storage** and the trusted `googleapis.com` domain, helping the attack bypass email and web filtering. After user interaction, the infection chain used staged JavaScript redirects or downloads, followed by VBScript or PowerShell execution to retrieve the final Remcos payload, which was then injected into a legitimate Windows process through **process hollowing**, persisted via Windows Registry entries, and opened encrypted command-and-control channels. The activity underscores how attackers are combining living-off-the-land techniques, trusted cloud services, obfuscated scripting, and legitimate Windows binaries to deploy Remcos for surveillance and data theft.
Apr 25, 2026
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Mar 21, 2026
Fileless Multi-Stage Remcos RAT Campaign Uses Phishing for Memory-Resident Execution
Trellix researchers reported a **multi-stage, fileless Remcos RAT infection chain** that begins with phishing and culminates in **memory-resident execution**, reducing on-disk artifacts and complicating detection. The campaign uses staged delivery and in-memory techniques to deploy **Remcos RAT**, a remote access trojan commonly used for surveillance, credential theft, and hands-on-keyboard follow-on activity. The reported intrusion flow highlights how attackers are combining **phishing-based initial access** with **fileless execution** to evade traditional defenses that rely on file scanning and static indicators. For defenders, the activity underscores the need to prioritize behavioral detection across email, process execution, script interpreters, and memory telemetry, especially for attack chains that move from user interaction to stealthy in-memory payload deployment.
Jun 5, 2026