The ThreatFox: VShell IOCs rule detects potential adversary activity linked to the VShell malware, which is associated with advanced persistent threats and lateral movement. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate early-stage compromise and prevent further network infiltration.
IOC Summary
Malware Family: VShell Total IOCs: 23 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 45[.]116[.]78[.]181:8084 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 45[.]205[.]27[.]227:9001 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 182[.]92[.]243[.]56:80 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]46:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 198[.]13[.]38[.]179:8443 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]59:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]54:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]47:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]59:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]42:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]43:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]47:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]56:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]58:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]96[.]35:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]57:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]56:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]55:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]58:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]54:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]33:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]100[.]59:8884 | botnet_cc | 2026-06-04 | 100% |
| ip:port | 154[.]88[.]97[.]39:8884 | botnet_cc | 2026-06-04 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["154.88.96.59", "154.88.100.57", "154.88.96.56", "154.88.100.56", "154.88.96.58", "154.88.97.59", "154.88.97.54", "45.205.27.227", "154.88.100.33", "154.88.97.42", "154.88.100.58", "182.92.243.56", "154.88.97.46", "154.88.96.47", "154.88.100.54", "198.13.38.179", "154.88.97.47", "45.116.78.181", "154.88.100.55", "154.88.96.43", "154.88.96.35", "154.88.97.39", "154.88.100.59"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.88.96.59", "154.88.100.57", "154.88.96.56", "154.88.100.56", "154.88.96.58", "154.88.97.59", "154.88.97.54", "45.205.27.227", "154.88.100.33", "154.88.97.42", "154.88.100.58", "182.92.243.56", "154.88.97.46", "154.88.96.47", "154.88.100.54", "198.13.38.179", "154.88.97.47", "45.116.78.181", "154.88.100.55", "154.88.96.43", "154.88.96.35", "154.88.97.39", "154.88.100.59"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using VShell
Description: A legitimate scheduled backup job uses VShell to transfer data between servers.
Filter/Exclusion: process.name != "vshell" OR event.type != "file_transfer"
Scenario: Admin Task Using VShell for File Sync
Description: An administrator uses VShell to synchronize configuration files across multiple servers.
Filter/Exclusion: user.name == "admin" OR process.name != "vshell"
Scenario: Log Collection via VShell Using a Known Tool
Description: A log aggregation tool like rsyslog or fluentd uses VShell to transfer logs from remote servers.
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "rsyslog" OR process.parent.name == "fluentd"
Scenario: Internal Network Monitoring Tool Using VShell
Description: A network monitoring tool like Nagios or Zabbix uses VShell to fetch metrics or logs.
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "nagios" OR process.parent.name == "zabbix"
Scenario: Automated Patch Deployment Using VShell
Description: A patch management system like SCCM or Ansible uses VShell to deploy updates across the network.
Filter/Exclusion: process.name != "vshell" OR process.parent.name == "ansible" OR process.parent.name == "sccm"