Weaponizing Filenames: Trellix Uncovers Stealthy Linux Malware Delivering VShell Backdoor
Researchers at Trellix have uncovered an unusual attack scheme targeting Linux systems, where the key element is not a malicious payload hidden within a file, but the file name itself inside an archive. The campaign begins with a mass phishing wave disguised as a survey invitation about cosmetic products, luring victims with the promise of a cash reward. The attachments contain a RAR archive holding a file whose name appears as:
The peculiarity of this attack lies in the fact that the malicious code is embedded directly into the filename rather than its contents. When unsafe scripts attempt to process such a name, command injection occurs. The trick exploits insecure shell practices involving constructs such as eval or echo without proper sanitization. Since antivirus solutions rarely analyze filenames, this technique proves especially insidious.
Importantly, the malicious code is not triggered by merely extracting the file. The danger arises when a shell or automated script attempts to parse the filename. At that point, a Base64-encoded loader is executed, downloading and launching an ELF binary tailored to the system’s architecture—x86_64, i386, i686, armv7l, or aarch64. The retrieved module connects to a command-and-control server, fetches the encrypted VShell backdoor, decrypts it, and runs it entirely in memory.
VShell, a Go-based remote administration tool actively used by Chinese threat groups such as UNC5174, supports reverse shells, file operations, process management, port forwarding, and encrypted C2 communications. Operating entirely in memory without writing to disk, it becomes significantly more difficult to detect, while its compatibility with a wide range of Linux devices broadens the threat landscape.
Trellix emphasizes that crafting such filenames is not feasible manually; it requires external utilities or scripts designed to bypass standard shell input validation—pointing to a well-prepared and sophisticated attack infrastructure.
In parallel, Picus Security has presented an analysis of RingReaper, a novel post-exploitation tool that leverages Linux kernel io_uring asynchronous I/O mechanisms. Unlike traditional system calls such as read, write, send, or connect, this approach relies on asynchronous primitives, allowing it to evade monitoring solutions that hook standard system functions. RingReaper can enumerate processes, sessions, network connections, and users; extract data from /etc/passwd; exploit SUID binaries for privilege escalation; and erase its own activity traces.
Together, these developments highlight the rapid evolution of Linux-targeted attack methods—from exploiting file names hidden in archives to stealthy abuse of low-level kernel functions. They reveal how traditional defensive measures are increasingly outpaced by innovative techniques of obfuscation and intrusion.
