SHADOW#REACTOR Remcos RAT delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
Researchers analyzed SHADOW#REACTOR, a multi-stage Windows malware campaign that uses script-based staging and in-memory loaders to quietly deliver Remcos RAT, increasing the risk of covert remote access on infected systems. The chain abuses wscript.exe and MSBuild.exe, reconstructs encoded payload fragments from remote text files, and hides activity with obfuscated VBS and PowerShell. Its design is meant to evade detection while enabling remote control, file access, and command execution.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware Activity
H score30
First: 01.07.2026 17:30
Last: 01.07.2026 17:30
Sources 1
About this happening:
**Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
Veil#Drop PureLog Stealer in-memory delivery operation
Malware ActivityAbout this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
**VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical Analysis
H score34
First: 16.06.2026 12:00
Last: 16.06.2026 12:00
Sources 1
About this happening:
**ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance
Technical AnalysisAbout this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...
Timeline
-
13.01.2026 18:00 2 articles · 5mo ago
Securonix analyzes SHADOW#REACTOR Remcos RAT delivery chain
Initial DisclosureSecuronix Threat Research analyzed SHADOW#REACTOR, a multi-stage Windows malware campaign that uses obfuscated VBS launched via wscript.exe, heavily encoded PowerShell in memory, remote text payload fragments, a .NET assembly protected with .NET Reactor, and MSBuild.exe to evade detection and deliver Remcos RAT for remote control, file access, command execution, and optional surveillance.
Show sources
- SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT — www.infosecurity-magazine.com — 13.01.2026 18:00
- SHADOW#REACTOR Campaign Uses Text-Only Staging to Deploy Remcos RAT — www.infosecurity-magazine.com — 13.01.2026 18:00