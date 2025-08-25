Malware, Threat Intelligence

Malicious RAR archive facilitates VShell backdoor deployment

Illicit emails with nefarious RAR archive files have been leveraged to deploy the open-source VShell backdoor in new attacks, The Hacker News reports.

Threat actors have sent emails purporting to be beauty product survey invitations with monetary lures that include a RAR archive attachment, which executes a Base64-encoded downloader before fetching an ELF binary for the eventual retrieval, decoding, and execution of VShell, according to a Trellix analysis. "This analysis highlights a dangerous evolution in Linux malware delivery where a simple file name embedded in a RAR archive can be weaponized to execute arbitrary commands. The infection chain exploits command injection in shell loops, abuses Linux's permissive execution environment, and ultimately delivers a powerful backdoor VShell malware capable of full remote control over the system," said Trellix researchers. Such findings follow a Picus Security report detailing the RingReaper post-exploitation tool's exploitation of the io_uring framework in Linux to evade detection.

