The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

VShell Linux Backdoor

Aug 29, 2025 12:46:41 PM / by The Hivemind

VSHELL2025Verticals Targeted: Not specified
Regions Targeted: Not specified
Related Families: Snowlight dropper

Executive Summary

VShell is a sophisticated Go-based backdoor targeting Linux systems through a novel infection chain that weaponizes filenames in RAR archives. This malware, linked to Chinese APT groups, exploits common shell scripting practices to execute malicious Bash payloads, delivering a stealthy, memory-resident backdoor capable of remote control, file operations, and network tunneling.

Key Takeaways

  • VShell uses a malicious filename in a RAR archive to trigger Bash command execution without user interaction.  
  • The malware supports multiple architectures (x86, x64, ARM, ARM64) and operates entirely in memory using fexecve().  
  • It employs XOR encryption for C2 communications, enhancing its stealth.  
  • The initial stage aligns with the Snowlight dropper, exploiting unsanitized filename processing in shell scripts.

What is VShell?

VShell is a sophisticated Go-based backdoor targeting Linux systems through a novel infection chain that weaponizes filenames in RAR archives. This malware, linked to Chinese APT groups, exploits common shell scripting practices to execute malicious Bash payloads, delivering a stealthy, memory-resident backdoor capable of remote control, file operations, and network tunneling. Trellix recently reported on VShell.

The VShell attack chain begins with a spam email containing a RAR archive, disguised as a beauty product survey offering a small monetary reward. Unlike traditional phishing, the email does not prompt credential theft but relies on user curiosity to extract the archive. The archive contains a file with a crafted filename embedding a Base64-encoded Bash command. This filename, when processed by common shell operations like `ls`, `find`, or `eval`, triggers automatic execution without requiring user interaction or executable permissions.

The infection unfolds in three stages. In Stage 1, the malicious filename is decoded and piped to Bash, executing a command that downloads a second-stage Bash script from a hardcoded C2 server. This script detects the system’s architecture (x86, x64, ARM, ARM64) and fetches an architecture-specific ELF binary. Stage 2 ensures execution resilience by attempting to run the binary across multiple writable directories using `nohup` for background execution and output suppression. In Stage 3, the ELF binary retrieves an XOR-encrypted payload from the C2 server, decrypts it in memory, and executes it using `fexecve()`, avoiding disk-based artifacts. The final payload, VShell, masquerades as a kernel thread to evade detection.

VShell’s capabilities include reverse shell access, file uploads/downloads, process management, and TCP/UDP port forwarding, making it a versatile backdoor for post-exploitation. Its use of Go ensures compatibility across multiple Linux architectures, while XOR-encrypted C2 communications and memory-only execution enhance its stealth. The malware also implements an anti-reinfection mechanism by checking for a marker file, preventing multiple instances from running.

The attack’s reliance on filename-based command injection exploits a common vulnerability in shell scripts that fail to sanitize filenames during operations like `eval "echo $f"` or `ls | while read f`. Traditional antivirus tools struggle to detect this threat, as filenames are rarely scanned, and static analysis may miss encoded payloads. Behavioral detection is also challenging unless systems monitor for unusual shell activity or C2 traffic.VShell underscores the evolving sophistication of Linux-targeted malware, highlighting the need for advanced defenses against fileless threats exploiting trusted system utilities.

Chinese APT Groups Known to Use VShell

The following China nexus APT groups have been observed using VShell.

UNC5174 

UNC5174, also referred to as Uteus, is a Chinese state-sponsored threat actor identified as deploying VShell in targeted campaigns. This group has been linked to attacks exploiting vulnerabilities in software like ConnectWise ScreenConnect (CVE-2024-1709) and SAP NetWeaver (CVE-2025-31324) to deliver VShell alongside other payloads like SNOWLIGHT and GOREVERSE. UNC5174 is noted for its sophisticated tactics, including fileless execution via memory-only remote access Trojans (RATs) and WebSocket-based C2 communications to evade detection. The group’s motivations include intelligence gathering for the Chinese government and potentially selling access to compromised environments on underground markets.

Earth Lamia

Industry researchers identified overlaps between VShell usage and infrastructure associated with Earth Lamia, a Chinese APT group, in the “Operation DRAGONCLONE” campaign targeting China Mobile Tietong Co., Ltd. This campaign used VShell alongside VELETRIX malware, leveraging DLL sideloading and stolen code-signing certificates. The infrastructure included C2 servers and tools like Cobalt Strike and SuperShell, which are commonly used by Chinese APTs. Earth Lamia has also been linked to attacks targeting entities in India.

CL-STA-0048

Industry researchers reported that CL-STA-0048, a Chinese hacking group likely linked to China’s Ministry of State Security (MSS) or its contractors, used VShell in attacks exploiting the SAP NetWeaver vulnerability (CVE-2025-31324). This group attempted to establish interactive reverse shells and deployed VShell alongside PlugX malware and web shells to maintain persistence and exfiltrate data.

UNC5221

UNC5221 was observed using VShell in conjunction with KrustyLoader, a Rust-based tool, to exploit the same SAP NetWeaver vulnerability (CVE-2025-31324) exploited by other Chinese threat actors, as noted above. This group deployed web shells to deliver secondary payloads like Sliver, maintaining persistence and executing commands on compromised systems. The group’s activities align with large-scale internet scanning and exploitation campaigns targeting SAP NetWeaver systems.

IOCs

PolySwarm has multiple samples associated with this activity.

 

5bde055523d3b5b10f002c5d881bed882e60fa47393dff41d155cab8b72fc5f4

d7d5c1f933846823ceb0f8c69bb41801713a6922741183501c344081a48f500b

bcc10098b91bbb841ed5c1ec663436738479d071a96145f43b121881a5517d35

6b7d2af6eeff8f2b73dae75037ca783e0f38510caadf5a9ca1f7be5bb9aed70d

d1119e6de574a16d7cda385555da5a742ae2cec44fdd322603a8c31e3055a2d2

8ef56b48ac164482dddf6a80f7367298d7b4d21be3aadf0ee1d82d63e3ac0c0a

20011cbb63b69bf36e6bcd7092d54d294a16c0f9e3209a85d4b5a02238bd928e

9171f1d87e8f575ff16b16eea2b7eb14e4d3f2348fa23738ed11dfc560073a59

3ff96535114625069b4bad655b46e82b9b214bcb17815454f38cf554a9846263

36b4ad17ac45dd371a79600ad09a91233d087abc2038b66f3911d4fe1dc2a6f0

 

You can use the following CLI command to search for all VShell-related samples in our portal:

$ polyswarm link list -f VShell

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Linux Malware, VShell malware, malicious filename, command injection, XOR encryption, Bash payload, remote access backdoor, fileless malware, Snowlight dropper, Linux server security

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More