CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

VShell Linux Malware Delivered via Malicious RAR Filenames

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

A phishing campaign delivers VShell Linux malware through malicious RAR filenames. The attack leverages Base64-encoded Bash payloads in filenames to evade antivirus detection and execute arbitrary code. The malware targets a wide range of Linux devices and operates entirely in-memory, avoiding disk-based detection. The campaign starts with phishing emails disguised as invitations for a beauty product survey. The emails contain a RAR archive with a maliciously crafted filename that executes commands when parsed by a shell script. The payload retrieves an ELF binary from an external server, which then communicates with a command-and-control server to obtain and execute the VShell payload. VShell is a Go-based remote access tool used by Chinese hacking groups for full remote control over the system. The attack chain exploits command injection in shell loops and abuses Linux's permissive execution environment.

Timeline

  1. 22.08.2025 17:31 πŸ“° 1 articles Β· ⏱ 25d ago

    VShell Linux Malware Delivered via Malicious RAR Filenames

    A phishing campaign delivers VShell Linux malware through malicious RAR filenames. The attack leverages Base64-encoded Bash payloads in filenames to evade antivirus detection and execute arbitrary code. The malware targets a wide range of Linux devices and operates entirely in-memory, avoiding disk-based detection. The campaign starts with phishing emails disguised as invitations for a beauty product survey. The emails contain a RAR archive with a maliciously crafted filename that executes commands when parsed by a shell script. The payload retrieves an ELF binary from an external server, which then communicates with a command-and-control server to obtain and execute the VShell payload. VShell is a Go-based remote access tool used by Chinese hacking groups for full remote control over the system. The attack chain exploits command injection in shell loops and abuses Linux's permissive execution environment.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

FileFix Attack Using Steganography to Deploy StealC Infostealer

A new FileFix social engineering campaign impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The attack uses steganography to hide malicious scripts and executables within a JPG image. The campaign targets various credentials, cryptocurrency wallets, and cloud services. The FileFix technique abuses the File Explorer address bar to execute PowerShell commands, bypassing traditional detection methods. The attack was discovered by Acronis and observed over a two-week period, with multiple variants using different payloads and domains. The StealC malware aims to steal sensitive information from infected devices, including browser credentials, messaging app data, and cryptocurrency wallets. The FileFix technique was created by red team researcher mr.d0x and has been previously used by the Interlock ransomware gang. The attack uses a multilingual phishing site to trick users into copying and pasting a malicious command into the File Explorer address bar. The campaign abuses Bitbucket repositories to host malicious components, leveraging trust in the platform to bypass detection. The FileFix campaign is the most widespread, customized, and sophisticated to date, targeting users in over 16 countries. The phishing site has been translated into at least 16 different languages. The attack chain involves a phishing email impersonating Facebook security, warning users of account suspension. The attack uses AI-generated images in the steganography process. The FileFix technique is more elegant and less suspicious than ClickFix, using File Explorer instead of the Run dialog. The FileFix attack offers a broader range of high-value targets due to its use of File Explorer. Security researcher Eliad Kimhy predicts an increase in FileFix attacks in the near future.

Open in new tab

Resurfaced ChillyHell macOS Backdoor Discovered

A new version of the ChillyHell modular backdoor malware targeting macOS has been discovered. The malware, first seen in 2022, was used in attacks against Ukrainian officials and has now resurfaced with updated capabilities. ChillyHell provides remote access, payload delivery, and password brute-forcing. The malware was notarized by Apple in 2021 and has been publicly hosted on Dropbox since then. The malware disguises itself as an executable applet and deploys as a persistent backdoor, capable of retrieving sensitive data and evading detection. It employs multiple persistence mechanisms and can communicate over different protocols. It also features timestamping to cover its tracks. Apple has revoked the notarization of the developer certificates associated with the malware after being notified. ChillyHell is written in C++ and targets Intel architectures. It is attributed to an uncategorized threat cluster dubbed UNC4487, which has been active since at least October 2022. UNC4487 is suspected to be an espionage actor targeting Ukrainian government entities.

Open in new tab

MostereRAT Malware Campaign Targets Japanese Windows Users

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Open in new tab

Phishing campaign using SVG files to deploy Base64-encoded pages

A new malware campaign has been identified using Scalable Vector Graphics (SVG) files to deploy phishing pages. The SVG files, distributed via email, impersonate the Colombian judicial system and execute a JavaScript payload to inject a Base64-encoded HTML phishing page. This page mimics an official government document download process while downloading a ZIP archive in the background. The campaign has been active since at least August 14, 2025, and includes 523 unique SVG files that have evaded antivirus detection. The campaign is part of a broader trend where attackers are targeting macOS users with information stealers like Atomic macOS Stealer (AMOS). This stealer can exfiltrate a wide range of sensitive data, including credentials, browser data, and cryptocurrency wallets. The attackers use cracked software and ClickFix-style tactics to lure users into infecting their systems, bypassing macOS's Gatekeeper protections.

Open in new tab

AI-Powered Ransomware 'PromptLock' Under Development

A new AI-powered ransomware strain named 'PromptLock' has been discovered by ESET researchers. This ransomware uses an AI model to generate scripts on the fly, making it difficult to detect. The malware is currently in development and has not been observed in active attacks. It is designed to exfiltrate files, encrypt data, and potentially destroy files. The ransomware was uploaded to VirusTotal from the United States and is written in the Go programming language, with variants for Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses the SPECK 128-bit encryption algorithm to lock files and can generate custom notes based on the files affected and the type of infected machine.

Open in new tab