20260113-thehackernews.com-a298e | Perceptive Security

< Back to index

New Malware Campaign Delivers Remcos RAT Through Multi-Stage Windows Attack

Published:

13 January 2026 at 09:08:00

Alert date:

13 January 2026 at 11:00:38

Source:

thehackernews.com

Operating Systems, Ransomware & Malware

A new malware campaign called SHADOW#REACTOR uses a multi-stage attack chain to deliver Remcos RAT, a commercially available remote administration tool. The campaign employs an evasive infection process that starts with an obfuscated VBS launcher executed through wscript.exe. The attack is designed to establish persistent, covert remote access to compromised Windows systems through a tightly orchestrated execution path.

Technical details

The SHADOW#REACTOR campaign uses a multi-stage attack chain to deliver Remcos RAT. The infection begins with an obfuscated VBS launcher (win64.vbs) executed via wscript.exe, which invokes a PowerShell downloader that retrieves fragmented text-based payloads from remote hosts. These fragments are reconstructed into encoded loaders, decoded in memory by a .NET Reactor-protected assembly. The final stage uses MSBuild.exe as a living-off-the-land binary to complete execution. The campaign employs text-only stagers, PowerShell for in-memory reconstruction, anti-debugging and anti-VM checks, and includes self-healing mechanisms to ensure payload integrity.

Mitigation steps:

Monitor for suspicious VBS script execution via wscript.exe, PowerShell downloading text files to %TEMP% directory, MSBuild.exe process abuse, and .NET Reactor protected assemblies. Implement detection rules for fragmented payload reconstruction and in-memory loading techniques. Watch for text-only staging mechanisms and LOLBin abuse patterns.

Affected products:

Microsoft Windows
wscript.exe
PowerShell
MSBuild.exe
.NET Reactor