Cybersecurity researchers have revealed information about a new campaign called SHADOW#REACTOR, which uses an evasive multi-stage attack chain to establish persistent, covert remote access and deliver Remcos RAT, a commercial remote administration tool This article explores uses msbuild exe. . "A.NET Reactor-protected assembly reconstructs these fragments into encoded loaders, decodes them in memory, and uses them to retrieve and apply a remote Remcos configuration.

The Remcos RAT backdoor is fully deployed and takes over the compromised system after the last stage uses MSBuild.exe as a living-off-the-land binary (LOLBin) to finish execution. The activity is deemed to be broad and opportunistic, mainly targeting enterprise and small-to-medium business environments.

The tradecraft and tooling are similar to those used by typical initial access brokers, who gain access to target environments and then sell them to other actors in order to make money. Nevertheless, there is no proof linking it to a recognized threat group. The campaign's most peculiar feature is its use of intermediate text-only stagers in conjunction with PowerShell for in-memory reconstruction and a reflective loader protected by a.NET Reactor to dissect later stages of the attack in an effort to make detection and analysis more difficult.

An obfuscated Visual Basic Script ("win64.vbs") is retrieved and executed at the start of the infection sequence. This is probably caused by user interaction, like clicking on a link sent by socially engineered lures.

When executed with "wscript.exe," the script serves as a lightweight launcher for a PowerShell payload that has been encoded in Base64. The PowerShell script then uses System.Net.WebClient to connect to the same server that was used to retrieve the VBS file and drop a text-based payload in the %TEMP% directory of the machine called "qpwoe64.txt" (or "qpwoe32.txt" for 32-bit systems).After that, the script goes into a loop to verify the file's size and existence, according to Securonix. "The stager pauses execution and re-downloads the content if the file is absent or less than the specified length threshold (minLength).

Chain failure is avoided if the threshold is not reached within the specified timeout window (maxWait). "This mechanism reinforces the campaign's self-healing design by ensuring that incomplete or corrupted payload fragments do not immediately disrupt execution." If the text file satisfies the necessary requirements, it creates a second secondary PowerShell script ("jdywa.ps1") in the %TEMP% directory.

This script calls a.NET Reactor Loader, which is in charge of creating persistence, obtaining the next-stage malware, and adding different anti-debugging and anti-VM checks to evade detection.

In the end, the loader uses "MSBuild.exe," a genuine Microsoft Windows process, to start the Remcos RAT malware on the compromised host. During the attack, execution wrapper scripts that use "wscript.exe" to re-trigger the execution of "win64.vbs" were also dropped. The researchers observed that "the combination of text-only intermediates, in-memory.NET Reactor loaders, and LOLBin abuse reflects a deliberate strategy to frustrate antivirus signatures, sandboxes, and rapid analyst triage."

Taken together, these behaviors show an actively maintained and modular loader framework designed to keep the Remcos payload portable, resilient, and difficult to statically classify.