Linux users are being targeted by a novel phishing campaign that uses malicious filenames in RAR archives to install the open-source VShell backdoor and evade traditional antivirus detection.
The attack starts with a phishing email disguised as an invitation for a beauty product survey, offering a small monetary reward. Attached is a RAR archive (for example, “yy.rar”) that contains a file whose name is not benign text, but actually embeds a Bash command encoded in Base64. If a shell script or command processes the filename without proper sanitation (for example, using “echo $f” or “eval”), the malicious code is executed.
The embedded payload in the filename, when triggered, downloads a second-stage script tailored to the victim’s system architecture and runs it automatically.
This script downloads an ELF binary for the appropriate Linux platform (x86, x64, ARM), which connects to a command-and-control server to fetch and decrypt the final VShell malware payload.
VShell is executed directly from memory, avoiding disk-based detection and masquerading as a kernel thread ([kworker/0:2]).
The malware can provide attackers with reverse shells, file and process management, port forwarding, and fully encrypted communications.
The main innovation in this campaign is using the filename itself as the infection vector, rather than relying on exploiting file contents or macros. This method:
This attack demonstrates the risks of unsanitized filename handling in automated shell scripts commonly used on Linux servers and workstations. It is a reminder that sophisticated attackers are finding new ways to bypass traditional endpoint defenses.
VShell, the final payload, is a Remote Access Trojan written in Go and has been attributed to campaigns by Chinese state-linked hacking groups. Its ability to operate in-memory and pose as a normal system process makes it difficult to detect and remove.
It occurs when a shell script or command unsafely expands or evaluates a filename containing executable code, resulting in silent execution of malicious commands.
Most antivirus products scan file contents and not filenames, so they miss malware embedded as command payloads in names.
Unsanitised filename handling occurs when a script, command, or application processes file names directly without first checking or removing potentially dangerous characters or code.