SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT

SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT

https://www.infosecurity-magazine.com/news/shadowreactor-text-staging-remcos/

Publish Date: 2026-01-13 11:00:09

Source Domain: www.infosecurity-magazine.com

Summary of SHADOW#REACTOR Windows Malware Campaign

Securonix’s cybersecurity researchers have analyzed a sophisticated, multi-stage Windows malware campaign identified as SHADOW#REACTOR, which utilizes a complex infection chain to deploy the Remcos remote access Trojan. The attack begins with an obfuscated Visual Basic Script executed via wscript.exe, initiating the delivery of a series of payload fragments, instead of downloading complete malicious files. These fragments are fetched from a remote server and reassembled in memory using encoded text files and a .NET assembly protected by .NET Reactor, allowing the malicious action to evade detection. This payload is managed through an encrypted configuration blob, ultimately establishing Remcos for remote administration tasks like file access and command execution. Securonix emphasizes the importance of visibility into script-based execution paths and outbound HTTP activity from scripting engines to detect similar threats before they fully deploy the Remcos RAT. There is no definitive link yet to any particular threat group or nation-state actor.

Key Points:

• Attack uses a multi-stage, script-based infection chain to deploy Remcos RAT.
• Abuses legitimate Windows tools and living-off- – The generated text has been blocked by our content filters.