SHADOW#REACTOR Shows How Old Windows Scripting Still Fuels Modern Malware

A new malware campaign dissected by the Securonix Threat Research team underscores an uncomfortable truth for defenders: some of the most effective modern intrusions still rely on decades-old Windows scripting, dressed up with just enough obfuscation and in-memory trickery to stay ahead of automated detection.

Tracked as SHADOW#REACTOR, the operation delivers a familiar end goal—a fully functional Remcos remote access trojan—but the path it takes to get there is anything but simple. Instead of dropping a single executable, the attackers chain together Visual Basic Script, PowerShell, text-only payload fragments, .NET assemblies protected by commercial code-hardening software, and finally a Microsoft-signed build tool. The result is a loader framework that is modular, resilient, and deliberately hostile to static analysis.

A Loader That Refuses to Sit Still

The intrusion begins with a lightweight but heavily obfuscated VBS launcher executed through wscript.exe. On its own, the script does almost nothing visible: it suppresses errors, records its own location, and reconstructs a large, corrupted Base64 PowerShell payload entirely in memory. From the endpoint’s point of view, the most obvious signal is a scripting engine spawning PowerShell with an unusually long inline command—often from user-writable locations like the Desktop or %TEMP%.

PowerShell then takes over as the campaign’s delivery workhorse. Rather than pulling down a single binary, the stager repeatedly downloads plain-text files until they exceed a minimum size threshold, ensuring the payload is complete before execution continues. Those text files—named things like qpwoe64.txt and teste32.txt—carry encoded fragments of .NET assemblies, rebuilt only at runtime.

This “text-only” staging pipeline is not an accident. Transporting malware as UTF-8 text dramatically reduces the chance that signature-based scanners or sandboxes will correctly identify the content before it is transformed back into executable code.

Commercial Protection, Criminal Purpose

Once reconstructed, the text payload resolves into a .NET assembly wrapped with .NET Reactor, a legitimate commercial protector used by software vendors to prevent reverse engineering. In SHADOW#REACTOR, that same protection layer encrypts strings, mangles control flow, and blocks straightforward decompilation—forcing analysts to peel back layers just to see basic logic.

Inside, a central orchestrator method coordinates the rest of the attack. It decides whether to perform anti-analysis checks, whether to relaunch earlier stages, and how to retrieve additional components. Configuration data—including the final Remcos settings—is fetched from the same infrastructure, reversed, decoded, and handed off without ever being written to disk in a recognizable form.

By the time defenders can see what is happening, the malware has already pivoted away from scripts and into memory-resident .NET code.

MSBuild: The Final Disguise

The campaign’s last major trick is one security teams have seen before, but not always at this level of polish: abuse of MSBuild.exe as a living-off-the-land binary. Rather than launching the RAT directly, the loader hands execution to Microsoft’s signed build engine, passing it decoded assemblies and configuration blobs.

Running under the guise of a trusted Windows component, the final stage blends into legitimate system activity while Remcos takes control—enabling remote desktop access, file manipulation, command execution, and optional surveillance features.

At that point, SHADOW#REACTOR has done its job. Every earlier stage exists solely to make sure that this handoff happens quietly and reliably.

Why This Matters

What makes SHADOW#REACTOR notable isn’t the payload—it’s the operational discipline. The attackers combine older scripting techniques with modern obfuscation, reflective loading, and LOLBin abuse to create a self-healing chain that can survive partial disruption and frustrate rapid triage.

For defenders, the lesson is blunt. Chasing malware families alone isn’t enough. Visibility into scripting engines, process chains like wscript.exe → powershell.exe → msbuild.exe, and unusual outbound network activity from those processes matters more than ever. Text-based staging, in-memory .NET loading, and abuse of trusted Windows binaries are no longer edge cases—they’re the baseline.

SHADOW#REACTOR shows how far commodity malware has evolved. The tools may be old. The tradecraft is not.