Linux malware campaign exploits malicious RAR filenames

Linux users are being targeted by a novel phishing campaign that uses malicious filenames in RAR archives to install the open-source VShell backdoor and evade traditional antivirus detection.

What happened

The attack starts with a phishing email disguised as an invitation for a beauty product survey, offering a small monetary reward. Attached is a RAR archive (for example, “yy.rar”) that contains a file whose name is not benign text, but actually embeds a Bash command encoded in Base64. If a shell script or command processes the filename without proper sanitation (for example, using “echo $f” or “eval”), the malicious code is executed.

Go deeper

The embedded payload in the filename, when triggered, downloads a second-stage script tailored to the victim’s system architecture and runs it automatically.

This script downloads an ELF binary for the appropriate Linux platform (x86, x64, ARM), which connects to a command-and-control server to fetch and decrypt the final VShell malware payload.

VShell is executed directly from memory, avoiding disk-based detection and masquerading as a kernel thread ([kworker/0:2]).

The malware can provide attackers with reverse shells, file and process management, port forwarding, and fully encrypted communications.

The intrigue

The main innovation in this campaign is using the filename itself as the infection vector, rather than relying on exploiting file contents or macros. This method:

• Bypasses most antivirus engines, which do not check filenames for executable code.
• Relies on common but unsafe scripting patterns in Linux environments.
• Delivers the payload completely in memory, leaving little forensic evidence on disk.

Why it matters

This attack demonstrates the risks of unsanitized filename handling in automated shell scripts commonly used on Linux servers and workstations. It is a reminder that sophisticated attackers are finding new ways to bypass traditional endpoint defenses.

VShell, the final payload, is a Remote Access Trojan written in Go and has been attributed to campaigns by Chinese state-linked hacking groups. Its ability to operate in-memory and pose as a normal system process makes it difficult to detect and remove.

FAQs

What is command injection via filename?

It occurs when a shell script or command unsafely expands or evaluates a filename containing executable code, resulting in silent execution of malicious commands.

Why doesn’t traditional antivirus catch this attack?

Most antivirus products scan file contents and not filenames, so they miss malware embedded as command payloads in names.

What is unsanitised filename handling?

Unsanitised filename handling occurs when a script, command, or application processes file names directly without first checking or removing potentially dangerous characters or code.