sha256sum prev.rar Paste the hash into . If more than 5 antivirus engines flag it as malware, delete it immediately. Part 4: Real-World Example of a "Filedot" Malware Campaign In late 2023, a threat actor dubbed TA577 used a domain filedot[.]top to distribute prev.rar via phishing emails. The emails pretended to be "previous month's invoice." The .rar contained an ISO file with a .lnk shortcut that fetched a second-stage payload with the folder name land8 .
rar l prev.rar # list contents only unrar l prev.rar
filedownloader.exe to ls-land-8 prev.rar …where ls-land-8 is a folder on a C2 server. The malware extracts the RAR, which contains a secondary payload (e.g., a fake crack for a game). Piracy groups often release software in .rar parts (e.g., game.rar , game.r00 , game.r01 … up to game.r08 ). If a user attempted to download part 8 ( game.r08 ) using a text-based browser (Lynx) or an old FTP client, the command might log as: filedot to ls land 8 prev rar
Delete any file associated with this string. Do not "repair" or "renam" it. Do not search for "filedot" downloads. Run a full antivirus scan. If nothing else, consider this a lesson in why you should never execute or extract random .rar files from untrusted sources.
7z l prev.rar Look for suspicious extensions: .exe , .scr , .vbs , .ps1 , .js , .jar . If you see only .jpg or .txt , still be careful (malware uses double extensions like .pdf.exe ). If you have multiple files ( filedot.part1.rar … filedot.part8.rar ), they must be in the same folder. Extract only part 1 : sha256sum prev
unrar x filedot.part1.rar Never extract parts individually — that will corrupt the result. Calculate the SHA-256 hash of the RAR and search for it in public databases:
outlook.exe → download filedot.top/invoice/prev.rar → WinRAR.exe extracts invoice.iso → explorer.exe mounts ISO → random.lnk runs PowerShell → PowerShell downloads to C:\Users\Public\land8\svchost.exe (trojan) This matches if the attacker’s script logged the ls (directory listing) of the land8 folder before downloading prev.rar . The emails pretended to be "previous month's invoice
A victim’s process tree looked like:
