Endpoint/Device Security, Malware

SHADOW#REACTOR campaign leverages evasive tactics to deploy Remcos RAT

Cyberattack

As reported by The Hacker News, cybersecurity researchers from Securonix have uncovered a sophisticated new campaign named SHADOW#REACTOR, which utilizes a multi-stage attack chain to deploy the Remcos Remote Administration Tool (RAT) and establish persistent, covert remote access. The campaign is notable for its evasive techniques designed to complicate detection and analysis.

The SHADOW#REACTOR campaign employs an intricate infection chain. It begins with an obfuscated VBS launcher executed via wscript.exe, which then invokes a PowerShell downloader. This downloader retrieves fragmented, text-based payloads from a remote host. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor–protected assembly, and used to fetch and apply a remote Remcos configuration. The final stage leverages MSBuild.exe, a legitimate Microsoft binary, to complete execution, deploying the Remcos RAT backdoor. The activity appears broad and opportunistic, primarily targeting enterprise and small-to-medium business environments, aligning with initial access brokers.

The campaign's reliance on intermediate text-only stagers, in-memory reconstruction via PowerShell, and a .NET Reactor–protected loader represents a deliberate strategy to evade traditional security measures like antivirus signatures and sandboxes. This modular and resilient loader framework makes the Remcos payload difficult to classify statically. The use of living-off-the-land binaries (LOLBins) further frustrates rapid analyst triage, highlighting the need for advanced threat detection and incident response capabilities to counter such sophisticated and evasive attack methodologies.

Source: The Hacker News

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds