A new Linux malware attack has been uncovered by cybersecurity researchers, exploiting a vulnerability in shell command injection to deliver an open-source backdoor called VShell. The attackers send phishing emails with malicious RAR archive files that contain Base64-encoded Bash payloads encoded directly in the filename itself. This allows the attacker to execute arbitrary code using simple file listing operations.
The technique takes advantage of a pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, causing trivial commands like eval or echo to facilitate execution. Antivirus engines do not typically scan file names, making this attack harder to detect.
The email message contains a RAR archive with a maliciously crafted file name that incorporates Bash-compatible code, which is executed when the shell attempts to parse the file name. This requires manual extraction of the file from the archive and does not trigger execution until a shell script or command attempts to parse it.
Trellix researcher Sagar Bade warned that it’s impossible to manually create a file with this syntax, suggesting it was created using another language or tool that bypasses shell input validation. The phishing emails are disguised as an invitation for a beauty product survey and lure recipients with a monetary reward.
The malware uses VShell, a Go-based remote access tool widely used by Chinese hacking groups, to initiate communication with a command-and-control (C2) server to obtain the encrypted payload. This allows the attacker to control the infected Linux device remotely.
This attack is significant because the malware operates entirely in-memory, avoiding disk-based detection and allowing it to target a wide range of Linux devices. Trellix stated that this analysis highlights a dangerous evolution in Linux malware delivery where a simple file name can be weaponized to execute arbitrary commands.
Another recently released malware tool, RingReaper, also exploits vulnerabilities in the Linux kernel’s io_uring framework to bypass traditional monitoring tools. This allows it to minimize detection and erases its traces after execution.
Source: https://thehackernews.com/2025/08/linux-malware-delivered-via-malicious.html