The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 6 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 38[.]76[.]194[.]85:8084 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 123[.]57[.]40[.]208:8084 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 123[.]60[.]57[.]137:8443 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 143[.]92[.]51[.]145:18082 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 124[.]174[.]125[.]32:80 | botnet_cc | 2026-06-21 | 100% |
| ip:port | 8[.]166[.]131[.]10:8084 | botnet_cc | 2026-06-21 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["38.76.194.85", "8.166.131.10", "143.92.51.145", "123.57.40.208", "123.60.57.137", "124.174.125.32"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["38.76.194.85", "8.166.131.10", "143.92.51.145", "123.57.40.208", "123.60.57.137", "124.174.125.32"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using rsync or tar that generates network traffic matching VShell IOCs
Filter/Exclusion: Check for presence of rsync, tar, or backup in the command line or process name, and filter out traffic originating from known backup servers.
Scenario: Scheduled job using cron or systemd to perform routine system updates or patching that triggers network activity
Filter/Exclusion: Exclude processes initiated by cron, systemd, or update-manager and filter traffic to known patch management servers.
Scenario: Admin task using scp or sftp to transfer files between servers within the internal network
Filter/Exclusion: Filter traffic between internal IP ranges and exclude processes using scp, sftp, or ssh with known internal server hosts.
Scenario: Log collection tool like rsyslog or Fluentd sending logs to a centralized SIEM system
Filter/Exclusion: Exclude traffic to SIEM IP addresses and filter processes associated with log shipping tools like rsyslog, fluentd, or logstash.
Scenario: Automated configuration management tool like Ansible or Chef performing routine configuration pushes
Filter/Exclusion: Exclude traffic from Ansible or Chef controllers and filter connections to known managed nodes or configuration servers.