22.08.2025
2 min
536
Trellix researchers have uncovered a new Linux infection technique where malicious code is embedded in filenames in RAR archives, allowing attackers to bypass antivirus checks and deliver the VShell backdoor.
The attack begins with a phishing email with the attachment yy.rar, disguised as a survey promising a monetary reward. Inside the archive is a file with a maliciously crafted name that contains a Base64-encoded Bash command. When the Linux shell interprets the filename, it triggers the execution of the malicious code. Extracting the archive itself does not trigger the infection, it only occurs when the filename is processed in a script or command. The downloaded script receives an ELF binary for the device architecture (x86, ARM, etc.), which contacts the C2 server and loads the VShell backdoor. This Go tool provides remote access, process, file and port control, and encrypted communication.
The danger of the method lies in its ability to bypass traditional protections: antivirus products do not check file names, so the attack remains unnoticed. VShell runs in memory, leaving no traces on disk, which makes detection even more difficult.
VShell has long been used by Chinese APT groups, including UNC5174, to spy on and control compromised systems. The new technique demonstrates the evolution of Linux malware delivery methods that combine social engineering, creative use of command injection, and scaling attacks to different architectures. In parallel, Picus Security researchers described another tool, RingReaper, which abuses the Linux kernel io_uring interface to hide activity and escalate privileges. Both threats demonstrate a trend of using new Linux features to bypass traditional protections.
The VShell incident shows that even filenames can be an attack vector if systems are not protected. Businesses and Linux administrators need to pay attention not only to software updates, but also to thorough attachment scanning, as well as deploy behavioral defenses. The increasing complexity of Linux threats requires intelligent defense strategies, as classic scanning methods no longer work. A new Linux malware is distributed via RAR archives with code embedded in filenames that allows it to bypass antivirus checks and deliver the VShell backdoor; the technique described by Trellix combines social engineering, Base64 commands, and shell injection, after which an ELF binary is loaded and remote memory access is initiated.
