”The archive contains a file with a crafted filename embedding a Base64-encoded Bash command.

@troed Checks notes … ok ill go home and add some quotes on my shell scripts asap. I’m so old I have learnt and forgotten about this trick twice.

@troed ”Malicious filename remains dormant until handled by a shell script or command.
Simply extracting the archive does not trigger execution.
Execution occurs only when a script or command (e.g., for f in *, echo $f, eval, printf, or logging utilities) expands or evaluates the filename.” https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/

”The archive contains a file with a crafted filename embedding a Base64-encoded Bash command. This filename, when processed by common shell operations like `ls`, `find`, or `eval`, triggers automatic execution without requiring user interaction or executable permissions.” What filename results in execution on `ls`? https://blog.polyswarm.io/vshell-linux-backdoor