The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have already bypassed initial defenses.
IOC Summary
Malware Family: VShell Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 171[.]80[.]9[.]253:8084 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 102[.]209[.]117[.]153:8000 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 101[.]42[.]5[.]27:8880 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 47[.]116[.]45[.]227:8080 | botnet_cc | 2026-06-20 | 100% |
| ip:port | 60[.]205[.]129[.]61:30244 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 49[.]232[.]169[.]67:8084 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 49[.]232[.]169[.]67:8085 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 31[.]207[.]4[.]28:4444 | botnet_cc | 2026-06-19 | 100% |
| ip:port | 1[.]13[.]158[.]52:8084 | botnet_cc | 2026-06-19 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["49.232.169.67", "31.207.4.28", "47.116.45.227", "1.13.158.52", "60.205.129.61", "102.209.117.153", "171.80.9.253", "101.42.5.27"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["49.232.169.67", "31.207.4.28", "47.116.45.227", "1.13.158.52", "60.205.129.61", "102.209.117.153", "171.80.9.253", "101.42.5.27"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that connects to a remote server using ssh or scp as part of routine system maintenance.
Filter/Exclusion: Exclude connections to known internal IP ranges or hosts using src_ip IN (list_of_internal_ips) or dest_ip IN (list_of_internal_hosts).
Scenario: Admin Task Using VShell for File Transfer
Description: An administrator uses vshell to transfer configuration files between servers during a routine configuration update.
Filter/Exclusion: Exclude traffic involving known admin tools or file paths using process_name != "vshell" or file_path NOT LIKE '/etc/%'.
Scenario: Automated Backup Job Using SCP
Description: A backup job runs nightly using scp to transfer data between servers, triggering the VShell IOC detection.
Filter/Exclusion: Exclude traffic with specific command-line arguments like scp -r /backup/ using command_line LIKE '%scp -r /backup/%'.
Scenario: Log Collection via SSH Tunnel
Description: A security tool uses an SSH tunnel to collect logs from a remote server, which may be flagged as VShell activity.
Filter/Exclusion: Exclude connections with known log collection tools using process_name != "ssh" or command_line LIKE '%ssh -L%'.
Scenario: Internal Network Monitoring Tool
Description: A network monitoring tool like tcpdump or Wireshark is used internally to capture and analyze network traffic, which may match VShell IOCs.
Filter/Exclusion: Exclude traffic from known monitoring tools using process_name NOT IN ('tcpdump', 'Wireshark') or user_account NOT IN ('monitoring', 'network_ops').