Suspicious Filename with Embedded Base64 Commands

Nov 24, 2025 · attack.execution attack.t1059.004 attack.defense-evasion attack.t1027 ·

Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts. These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.

Sigma rule (View on GitHub)

 1title: Suspicious Filename with Embedded Base64 Commands
 2id: 179b3686-6271-4d87-807d-17d843a8af73
 3status: experimental
 4description: |
 5    Detects files with specially crafted filenames that embed Base64-encoded bash payloads designed to execute when processed by shell scripts.
 6    These filenames exploit shell interpretation quirks to trigger hidden commands, a technique observed in VShell malware campaigns.    
 7references:
 8    - https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/
 9author: '@kostastsale'
10date: 2025-11-22
11tags:
12    - attack.execution
13    - attack.t1059.004
14    - attack.defense-evasion
15    - attack.t1027
16logsource:
17    product: linux
18    category: file_event
19detection:
20    selection:
21        TargetFilename|contains:
22            - '{echo'
23            - '{base64,-d}'
24    condition: selection
25falsepositives:
26    - Legitimate files with similar naming patterns (very unlikely).
27level: high

References

https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/

Read More

Suspicious Filename with Embedded Base64 Commands

Sigma rule (View on GitHub)

References

https://www.trellix.com/blogs/research/the-silent-fileless-threat-of-vshell/

Related rules