Advisory ID: NCC-CSIRT-2025-012
Summary:
Security experts have discovered a new type of cybersecurity attack targeting Linux systems. Criminals are hiding malicious code inside the names of files stored in a compressed archive (RAR file). This trick enables the malware to bypass many antivirus programs because the harmful code is not embedded within the file itself, but rather in the file’s name. Victims usually receive this malware through emails, pretending to be surveys or promotions. Once the attached .rar file is opened, the hidden code can run if the system or scripts process the filename in an unsafe way. The final result is the installation of a powerful backdoor program (called VShell) that gives attackers complete control of the infected system.
Damage/Probability: High/Critical
Product(s):
IoT devices and embedded systems running Linux
Version(s):
All versions of Linux systems, including servers, cloud platforms, IoT devices, and automated scripts that process RAR files
Platform(s):
Linux OS
Description:
Hackers have found a new way to attack Linux computers by hiding harmful code inside the names of files in a RAR archive. Normally, antivirus software looks inside files for threats, but in this case, the danger is in the filename itself, so it often goes undetected.
The attack usually starts with a fake email that has a .rar file attached. When the file is opened and the filenames are handled carelessly by the computer or scripts, the hidden code runs automatically. This code then downloads more malware, which installs a secret program called VShell.
Once installed, VShell gives the hacker full control of the computer: they can steal or delete files, run programs, spy on activity, or even use the machine to attack others. What makes this attack especially dangerous is that the malware runs only in the computer’s memory (not saved on disk), and it pretends to be a normal system process, making it very hard to notice or remove.
Impacts:
If the attack succeeds, hackers can take over Linux system, steal sensitive data, disrupt services, and use computers for other crimes, all while staying hidden.
Solutions:
- Be suspicious of unexpected attachments, especially .rar files. If you are not expecting it, do not open it.
- Update and secure script. If you use Linux scripts, avoid unsafe commands like eval and always quote filenames properly.
- Use security tools that monitor behavior, not just file content. Endpoint protection systems that watch for unusual memory activity are more likely to catch this.
- Restrict internet access on sensitive servers to only trusted websites.
- Stay aware! Even something as “harmless” as a filename can be weaponized.
References: