data breaches

Attackers Exploit Shell Loops With Malicious RAR Filenames

Published

5 days ago

on

Trellix says a phishing campaign weaponizes RAR archive filenames to auto-trigger Bash, fetch a multi-arch loader, and execute the VShell backdoor entirely in memory.

A new Linux attack chain abuses malicious RAR filenames to trigger Bash commands during routine scripting, bypassing tools that don’t scan names. The campaign downloads an ELF loader matched to the host’s architecture and runs the VShell backdoor in memory, researchers said—an evasion that threatens servers, IoT and cloud workloads.

Security researchers have uncovered a Linux-specific phishing campaign that hides its trigger not in a file, but in the filename of a RAR archive entry—turning routine shell handling into remote code execution and delivering a memory-only VShell backdoor that many antivirus tools won’t catch.

What Happened

  • Entry point: Spam email with a .rar attachment (“yy.rar”) tied to a fake beauty-product survey lure and small cash reward.
  • Trigger: A weaponized filename like ziliao2.pdf\{echo,<base64>}|{base64,-d}|bash“ executes when shell scripts enumerate or echo filenames without sanitization.
  • Payload: An architecture-aware loader (x86_64, i386/i686, armv7l, aarch64) retrieves and decrypts VShell and runs it from memory.

“The payload isn’t hidden inside the file content… it’s encoded directly in the filename,” said Trellix researcher Sagar Bade. The Hacker NewsTrellix

Traditional defenses miss this because “antivirus engines don’t typically scan file names,” the research notes.

Who Is Affected

Linux servers, developer workstations, cloud instances and IoT/ARM devices are at risk due to the campaign’s multi-architecture support and memory-resident execution that avoids disk indicators.

Technical Analysis

Attack vector & chain

  1. Spearphishing (attachment) → 2) user/system extracts the RAR → 3) a script or command (for f in *; echo $f; eval) expands the filename → 4) embedded Base64 Bash runs → 5) an ELF loader is fetched for the host arch → 6) loader contacts C2, XOR-decrypts the payload in memory, and launches VShell via fexecve(), masquerading as [kworker/0:2].

Key evasion behaviors

  • Filename-based command injection during shell loops;
  • In-memory execution (fileless) and kernel-thread masquerading;
  • Multiple fallback run paths (e.g., writable system dirs) and background execution (nohup) to reduce visibility.

MITRE ATT&CK (per Trellix)

  • T1566.001 Spearphishing Attachment (Initial Access)
  • T1059.004 Bash (Execution)
  • T1204.002 Malicious File (Execution)
  • T1036 Masquerading (Defense Evasion)
  • T1027 Obfuscated/Encrypted Payloads (Defense Evasion)
  • T1071.001 Web Protocols (C2)
  • T1105 Ingress Tool Transfer (C2/Execution)

Malware/Actor
The final payload is VShell, a Go-based RAT used by several Chinese-aligned groups, including UNC5174 in prior reporting; the actor behind this specific campaign is unknown.

“A simple filename becomes a launchpad for full compromise when scripts skip input sanitization,” said Sagar Bade, Trellix. Trellix

“Instead of standard syscalls, RingReaper uses io_uring to dodge hooks—part of a broader Linux stealth trend,” said Sıla Özeren Hacıoğlu of Picus Security. The Hacker News

“Archive-borne attacks have matured; treat filename handling as untrusted input, just like user data,” said El Mostafa Ouchen, cybersecurity author and analyst.

Impact & Response

  • Operational risk: Memory-only backdoors with encrypted C2 hinder forensics and extend dwell time.
  • Detection gaps: Many AV/EDR tools don’t analyze filenames or shell expansion paths by default.
  • Immediate actions:
    • Hunt for suspicious filename patterns in extracted archives and logs.
    • Grep/scan automation, backup, and audit scripts for unsafe constructs (eval, unsanitized $f).
    • Egress filter/alert on unusual HTTP GETs to unknown hosts with architecture tags; monitor for fexecve usage and proc names like [kworker/*].
  • Vendor detections: Trellix lists specific signatures and EDR analytics for the chain.

Background

Filename- and archive-abuse is resurging across platforms. Separate recent reporting showed WinRAR CVE-2025-8088 being exploited in Windows environments, underscoring a wider trend of archive-borne initial access—though the Linux filename-injection technique here is distinct and CVE-agnostic.

The Hacker News article also highlights RingReaper, a Linux post-exploit tool using io_uring to evade monitoring—evidence that attackers are leaning on Linux “living-off-the-land” features for stealth.

What’s Next

Trellix’s findings suggest more filename-trigger experiments and generalized fileless loaders targeting Linux. Expect mitigations to focus on shell-safe coding, enhanced archive inspection, and memory-centric telemetry. Organizations should review CI/CD and maintenance scripts, and vendors may expand filename and process-in-memory analytics.

Sources

  • The Hacker News — Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection, Aug. 22, 2025. The Hacker News
  • Trellix — The Silent, Fileless Threat of VShell (technical analysis). Trellix
  • Tom’s Hardware — WinRAR CVE-2025-8088 exploited; manual update required (context). Tom’s Hardware
Related Topics:

Trending

Exit mobile version