On Jan 13, 2026 cybersecurity researchers disclosed a campaign named SHADOW#REACTOR that uses an evasive multi stage chain to deploy the Remcos RAT backdoor and maintain covert persistent access, a technical report from Securonix said.
KEY FACTS
- Incident SHADOW#REACTOR delivers the Remcos RAT backdoor
- Initial vector Obfuscated VBS launcher executed with wscript.exe
- Staging Text only payload fragments reconstructed in memory
- Execution Loader uses .NET Reactor then MSBuild.exe to run Remcos
The infection chain begins with an obfuscated Visual Basic Script named “win64.vbs” run by wscript.exe. The script launches a Base64 encoded PowerShell payload that downloads a text file such as “qpwoe64.txt” to the host %TEMP% directory.
The downloader validates the fragment file for a minimum length and will reattempt retrieval if the content is incomplete. Once criteria are met the stager writes a secondary PowerShell script named “jdywa.ps1” and invokes a .NET Reactor reflective loader to reconstruct and run subsequent code in memory.
The loader applies anti debugging and anti virtual machine checks then fetches a Remcos configuration and launches the RAT using the legitimate Windows binary MSBuild.exe. Execution wrapper scripts are also dropped to re trigger the VBS launcher and preserve persistence.
WHY IT MATTERS
The activity is assessed as broad and opportunistic and primarily targets enterprise and small to medium business environments. The use of text only intermediates, in memory loaders, and living off the land binaries increases the difficulty of signature based detection and sandbox analysis.