Find notable cyber news and cases, enriched with sources, timelines, and signals.

SHADOW#REACTOR Remcos RAT delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 23
1 unique sources, 1 articles

Summary

Hide ▲

Researchers analyzed SHADOW#REACTOR, a multi-stage Windows malware campaign that uses script-based staging and in-memory loaders to quietly deliver Remcos RAT, increasing the risk of covert remote access on infected systems. The chain abuses wscript.exe and MSBuild.exe, reconstructs encoded payload fragments from remote text files, and hides activity with obfuscated VBS and PowerShell. Its design is meant to evade detection while enabling remote control, file access, and command execution.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

Veil#Drop PureLog Stealer in-memory delivery operation

Malware Activity
H score30 First: 01.07.2026 17:30 Last: 01.07.2026 17:30 Sources 1

About this happening: **Veil#Drop** is delivering **PureLog Stealer** through a **fileless** chain that keeps payloads **entirely in memory**, reducing disk artifacts and raising the chance of evading...

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: **VBScript attachments** spread through **WhatsApp direct messages** are now driving a **multi-stage Windows infection chain** that can end in remote access to victim systems. The...

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

ESET analysis of SprySOCKS Windows variants adds IOC-backed detection guidance

Technical Analysis
H score34 First: 16.06.2026 12:00 Last: 16.06.2026 12:00 Sources 1

About this happening: **ESET** identified previously undocumented **Windows variants** of **SprySOCKS**, a backdoor attributed to **FishMonger** and linked to **I-Soon**. The **WIN_DRV** and **WIN_PLUS...

Timeline

  1. 13.01.2026 18:00 2 articles · 5mo ago

    Securonix analyzes SHADOW#REACTOR Remcos RAT delivery chain

    Initial Disclosure

    Securonix Threat Research analyzed SHADOW#REACTOR, a multi-stage Windows malware campaign that uses obfuscated VBS launched via wscript.exe, heavily encoded PowerShell in memory, remote text payload fragments, a .NET assembly protected with .NET Reactor, and MSBuild.exe to evade detection and deliver Remcos RAT for remote control, file access, command execution, and optional surveillance.

    Show sources