The SHADOW#REACTOR malware campaign is a multi-stage attack designed to covertly deploy the commercially available Remcos RAT on Windows systems. The infection chain initiates with an obfuscated Visual Basic Script (win64.vbs) executed by wscript.exe, likely triggered by user interaction such as clicking a malicious link. This VBS script acts as a launcher for a Base64-encoded PowerShell payload that downloads fragmented, text-based payload files (qpwoe64.txt or qpwoe32.txt) from a remote server into the %TEMP% directory. The PowerShell script validates the completeness of these fragments through size and existence checks, implementing a self-healing mechanism that retries downloads to avoid chain failure. Once validated, the fragments are reconstructed into a secondary PowerShell script (jdywa.ps1), which invokes a .NET Reactor-protected reflective loader. This loader incorporates anti-debugging and anti-virtual machine checks to evade detection and analysis. It establishes persistence and fetches the final Remcos RAT payload, which is executed using MSBuild.exe, a legitimate Microsoft binary, to avoid raising suspicion. Additional wrapper scripts ensure the initial VBS launcher can be re-triggered to maintain persistence. The campaign's modular and obfuscated design, use of text-only intermediates, and living-off-the-land techniques complicate static detection and sandbox analysis. The attackers appear to be initial access brokers targeting a broad range of organizations, including enterprises and SMBs, for financial gain, though no direct attribution to known threat groups exists. The campaign does not exploit a specific vulnerability but relies on social engineering and user interaction to initiate the infection.

For European organizations, the SHADOW#REACTOR campaign poses a risk of unauthorized remote access, data exfiltration, espionage, and potential lateral movement within networks. The use of Remcos RAT enables attackers to control compromised systems covertly, potentially leading to intellectual property theft, disruption of business operations, and exposure of sensitive information. Enterprises and SMBs are at risk due to the opportunistic nature of the campaign and the widespread use of Windows systems. The stealthy multi-stage infection chain and living-off-the-land tactics make detection challenging, increasing the likelihood of prolonged undetected presence. Persistent access could facilitate follow-on attacks such as ransomware deployment or supply chain compromise. Although currently assessed as low severity, the campaign's modularity and evasive techniques could enable escalation or adaptation to more damaging payloads, especially in high-value sectors such as finance, manufacturing, and critical infrastructure prevalent in Europe.

European organizations should implement targeted mitigations beyond generic advice: 1) Deploy advanced endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts, in-memory execution, and LOLBin abuse, specifically monitoring wscript.exe, PowerShell, and MSBuild.exe activities. 2) Enforce strict application whitelisting and restrict execution of scripts and living-off-the-land binaries to authorized users and processes. 3) Implement network segmentation and monitor outbound connections for anomalous traffic to known malicious servers or unusual data exfiltration patterns. 4) Conduct user awareness training focused on recognizing social engineering lures that trigger script execution. 5) Utilize script-blocking policies via Group Policy Objects (GPO) to limit or disable execution of VBS and PowerShell scripts unless explicitly required. 6) Regularly audit and harden persistence mechanisms, including scheduled tasks and startup scripts, to detect and remove unauthorized entries. 7) Employ threat hunting to identify indicators of compromise related to Remcos RAT and the SHADOW#REACTOR infection chain. 8) Maintain up-to-date threat intelligence feeds to track emerging variants and adjust defenses accordingly.