SHADOW#REACTOR Malware Campaign Deploys Remcos RAT via Multi-Stage Attack

SHADOW#REACTOR Malware Campaign Deploys Remcos RAT via Multi-Stage Attack

The SHADOW#REACTOR campaign utilizes a complex, multi-stage attack chain to deliver the Remcos RAT, a commercially available remote administration tool, resulting in persistent and covert remote access to compromised systems. Researchers at Securonix detailed the campaign’s use of VBS, PowerShell, and MSBuild to evade detection and maintain resilience.

Why This Matters

Traditional signature-based detection struggles against sophisticated, multi-stage attacks like SHADOW#REACTOR, which prioritize in-memory execution and living-off-the-land binaries. The reliance on obfuscation and fragmented payloads increases the cost of incident response and remediation, potentially leading to significant data breaches and operational disruption for targeted organizations.

Key Insights

• Remcos RAT popularity: Remcos is a commercially available RAT frequently used by threat actors due to its versatility and features.
• LOLBins: The campaign leverages MSBuild.exe as a living-off-the-land binary (LOLBin) to execute the final payload, blending malicious activity with legitimate system processes.
• Text-based stagers: The use of text-only stagers complicates analysis and bypasses common detection mechanisms.

Working Example

(No code exists in the context)

Practical Applications

• Use Case: Initial access brokers utilizing SHADOW#REACTOR to gain footholds in enterprise networks for subsequent sale to ransomware groups.
• Pitfall: Over-reliance on static indicators of compromise (IOCs) as the campaign employs obfuscation and dynamic payload delivery.

References:

• https://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html