EXECUTIVE SUMMARY
The SHADOW#REACTOR intrusion chain, showing how a simple script-based entry point evolves into the full deployment of a remote access backdoor. The campaign is notable for its modular design, where each stagehands off execution to the next using plain-text intermediates and in-memory processing. By combining legacy scripting with modern obfuscation and fileless techniques, the framework minimizes on-disk artifacts while remaining flexible and resilient. The overall structure allows operators to update payloads or configurations without changing the initial delivery method, making the activity harder to disrupt through static detection alone.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The SHADOW#REACTOR intrusion chain, showing how a simple script-based entry point evolves into the full deployment of a remote access backdoor. The campaign is notable for its modular design, where each stagehands off execution to the next using plain-text intermediates and in-memory processing. By combining legacy scripting with modern obfuscation and fileless techniques, the framework minimizes on-disk artifacts while remaining flexible and resilient. The overall structure allows operators to update payloads or configurations without changing the initial delivery method, making the activity harder to disrupt through static detection alone.[emaillocker id="1283"]
The attack relies on a layered loader architecture that chains Visual Basic Script, PowerShell, encoded text files, and protected .NET assemblies. PowerShell plays a central role by reconstructing payloads in memory and validating downloads through repeated size-checked retrieval loops. A Reactor-protected .NET component then orchestrates execution, decrypting strings at runtime, generating auxiliary scripts, and coordinating additional in-memory stages. Trusted system utilities are abused to provide a legitimate execution context, while reflective loading ensures minimal forensic footprint.
This design prioritizes resilience, stealth, and evasion over speed or simplicity. Overall, SHADOW#REACTOR illustrates how a common remote access tool can be delivered through a sophisticated and evasive loader framework. The use of text-only staging, in-memory execution, and trusted binaries significantly complicates detection and analysis, even though the final payload itself is not novel. By separating delivery, orchestration, and configuration into distinct stages, the framework achieves both adaptability and durability. This campaign reflects a broader shift toward modular loader ecosystems that focus on reliability and defender friction rather than relying on a single exploit or executable.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
|---|---|---|---|
| Initial Access | T1204.002 | User Execution | Malicious File |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1127.001 | Trusted Developer Utilities Proxy Execution | MSBuild |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| Defense Evasion | T1140 | Deobfuscate or Decode Files or Information | – |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Defense Evasion | T1036.005 | Masquerading | Match Legitimate Name or Location |
| Defense Evasion | T1070.004 | Indicator Removal on Host | File Deletion |
| Discovery | T1057 | Process Discovery | – |
| Collection | T1056.001 | Input Capture | Keylogging |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1105 | Ingress Tool Transfer | – |
| Command and Control | T1573.001 | Encrypted Channel | Symmetric Cryptography |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
|---|---|---|
| Execution | E1059 | Command and Scripting Interpreter |
| E1204 | User Execution | |
| Defense Evasion | F0015 | Hijack Execution Flow |
| B0032 | Data Value Obfuscation | |
| F0012 | Registry Run Keys / Startup Folder | |
| Command and Control | B0030 | C2 Communication |
| Anti-Static Analysis | E1027 | Obfuscated Files or Information |
| Anti-Behavioral Analysis | B0009 | Virtual Machine Detection |
REFERENCES:
The following reports contain further
https://securityonline.info/shadowreactor-malware-builds-remcos-rat-via-text-files/
https://www.securonix.com/blog/shadowreactor-text-only-staging-net-reactor-and-in-memory-remcos-rat-deployment/