VShell Linux malicious RAR filename delivery activity
Malware Activity
Summary
Hide ▲
Show ▼
The VShell backdoor is being delivered to Linux devices through a phishing email that uses malicious RAR filename injection to trigger code execution. The chain matters because the payload is run in memory, which reduces disk-based detection and can lead to full remote control. The delivery method also bypasses ordinary attachment scanning because the malicious code is embedded in the filename rather than the file content.
Timeline
-
22.08.2025 17:31 1 articles · 9mo ago
Survey-themed phishing email delivers VShell through malicious RAR filename
Initial DisclosureA Linux-specific malware delivery chain uses phishing emails disguised as a beauty product survey with a 10 RMB reward and a RAR attachment named yy.rar to trigger shell command injection from a crafted filename. When a shell parses the filename, Base64-encoded Bash payloads launch a downloader that fetches an architecture-specific ELF binary, which then contacts a command-and-control server to retrieve, decode, and execute the encrypted VShell backdoor in memory on Linux devices.
Show sources
- Linux Malware Delivered via Malicious RAR Filenames Evades Antivirus Detection — thehackernews.com — 22.08.2025 17:31