SHADOW#REACTOR: How Trusted Windows Tools Were Turned into a Stealthy Remcos RAT Infection Chain

Multi-Stage Living-off-the-Land Malware Delivery Using VBS, PowerShell, MSBuild, and Remcos RAT

Executive Overview

SHADOW#REACTOR is a stealth-focused malware campaign built to gain long-term remote access to Windows systems while avoiding traditional security controls. Rather than relying on exploits or obvious malware binaries, the attackers chain together native Windows scripting engines and trusted Microsoft tools. The final payload delivered is Remcos Remote Access Trojan (RAT).

The campaign is effective because it looks like normal system activity. Everything from script execution to persistence uses components that already exist on a standard Windows machine. This approach significantly reduces detection rates in environments that rely heavily on signature-based antivirus or do not monitor script behavior closely.

What Happened

Victims unknowingly executed a malicious script that appeared harmless on the surface. Once launched, the script triggered a hidden, multi-stage execution flow that eventually installed a remote access backdoor. From that point onward, attackers had persistent, covert access to the affected systems.

No software flaw was exploited. The breach occurred because trusted tools were misused and because script execution was permitted without sufficient restrictions or monitoring.

How the Attack Worked

Stage 1 – Initial Infection Vector

The campaign begins with email-based delivery.

Emails impersonated routine business communication.
Attachments were commonly ZIP files, ISO files, or documents.
Inside the attachment was a VBS script disguised as a legitimate file.

User interaction was required. Once the file was double-clicked, the chain began.

Stage 2 – Obfuscated VBS Execution

The VBS script acted as a lightweight launcher.

Characteristics:

Heavy string obfuscation and character encoding
Meaningless variable names
Use of Execute, Eval, and string rebuilding at runtime

Primary function:

Launch PowerShell silently
Pass encoded instructions to the next stage

At this stage, very little is written to disk, limiting forensic visibility.

Stage 3 – PowerShell Loader

PowerShell was executed with flags designed to reduce visibility and logging.

Common behaviors:

Hidden window execution
Encoded command arguments
AMSI and script logging bypass techniques
In-memory payload staging

PowerShell prepares the system for execution via MSBuild.exe, which is the core evasion technique of this campaign.

Stage 4 – MSBuild Abuse (Living-off-the-Land)

MSBuild.exe, a legitimate Microsoft binary, was used to execute malicious XML project files.

Why MSBuild:

Signed by Microsoft
Rarely blocked
Capable of executing inline code

The XML project contained embedded logic that decrypted and executed the final payload entirely in memory. This allowed the malware to run without a traditional executable ever touching disk.

Stage 5 – Final Payload: Remcos RAT

Once executed, Remcos established command-and-control communication and set up persistence.

Capabilities enabled:

Full remote shell
Credential harvesting
Browser data theft
Keystroke logging
Screen and webcam capture
File upload/download
Additional payload deployment

At this point, the system was fully compromised.

Persistence Mechanisms Observed

Multiple methods were used to survive reboots and user logouts:

Registry Run keys pointing to PowerShell or MSBuild
Scheduled tasks masquerading as system updates
Startup folder shortcuts referencing scripts
In some cases, service creation under benign names

Persistence was often layered to increase resilience.

Payload Summary

Primary Payload

Remcos RAT

Supporting Components

Obfuscated VBS launcher
PowerShell loader framework
MSBuild XML project payload
Encrypted configuration blobs

Indicators of Compromise (IOCs)

File System IOCs

Common file locations:

%AppData%\
%LocalAppData%\
%Temp%\

Suspicious files:

Randomly named .vbs files
.xml project files used by MSBuild
Temporary PowerShell script fragments

Process Execution IOCs

Suspicious process chains:

wscript.exe → powershell.exe
cscript.exe → powershell.exe
powershell.exe → MSBuild.exe
MSBuild.exe running outside developer environments

Command-line indicators:

-ExecutionPolicy Bypass
-WindowStyle Hidden
-EncodedCommand

Registry IOCs

Persistence-related keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Indicators:

Values pointing to PowerShell or MSBuild
Encoded or obfuscated command strings

Network IOCs

Behavioral indicators:

Outbound TCP connections to unfamiliar IPs
Non-standard ports
Encrypted traffic immediately after logon
Regular beacon intervals (30s–5min)

Domains and IPs frequently rotated, making static blocking unreliable.

Detection Opportunities

Endpoint Detection

High-risk behaviors:

MSBuild executed by a non-developer user
PowerShell spawning MSBuild
Script interpreters running hidden
PowerShell with encoded commands

Email Security

Indicators:

Attachments containing .vbs
Double-extension filenames
Archive files with scripts inside
ISO files with shortcut or script payloads

Network Monitoring

Indicators:

Consistent outbound connections to unknown hosts
TLS traffic without associated browser processes
Rare destination countries or hosting providers

Example Detection Rules

Sigma – Suspicious MSBuild Execution

title: Suspicious MSBuild Execution
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    Image|endswith: '\MSBuild.exe'
  condition: selection
falsepositives:
  - Legitimate developer activity
level: high

Sigma – PowerShell Encoded Command

title: PowerShell Encoded Command Execution
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    CommandLine|contains: '-EncodedCommand'
  condition: selection
level: medium

YARA – Obfuscated VBS Script

rule Suspicious_VBS_Obfuscation
{
  strings:
    $s1 = "Execute"
    $s2 = "Chr("
    $s3 = "WScript.Shell"
  condition:
    all of them
}

Defensive Mitigation Measures

Immediate Actions

Isolate infected hosts
Reset credentials used on affected machines
Remove persistence artifacts
Block identified C2 traffic
Reimage systems if integrity is uncertain

Preventive Controls

Script Control

Disable VBS where not required
Restrict PowerShell to Constrained Language Mode
Enforce execution policies via Group Policy

Application Control

Restrict MSBuild execution to developer systems
Implement application allowlisting

Email Security

Block script attachments by default
Detonate archives in sandbox environments

Monitoring

Enable PowerShell Script Block Logging
Enable command-line process auditing
Monitor LOLBins for abnormal use

Impacted Environments

Most affected organizations shared common traits:

Limited endpoint monitoring
Permissive scripting policies
High reliance on email-based workflows

Industries observed:

Small and mid-sized businesses
Manufacturing
Logistics
Healthcare support services
Professional services firms
Managed service providers

Final Takeaway

SHADOW#REACTOR is not technically complex, but it is operationally effective. The attackers rely on blending in rather than breaking in. By abusing trusted Windows components, they bypass many defenses and remain hidden long enough to cause serious damage.

This campaign highlights the importance of behavioral detection, script control, and monitoring trusted binaries, not just blocking known malware files.