The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 13 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 143[.]92[.]43[.]153:8087 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 156[.]238[.]233[.]97:8084 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 206[.]119[.]182[.]15:8082 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 64[.]118[.]128[.]131:9999 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 103[.]146[.]158[.]182:8443 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 143[.]92[.]43[.]246:8087 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 103[.]146[.]158[.]182:10443 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 119[.]45[.]166[.]6:8084 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 143[.]92[.]43[.]231:8087 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 159[.]75[.]152[.]237:18084 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 156[.]244[.]9[.]19:9090 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 139[.]84[.]150[.]251:8084 | botnet_cc | 2026-06-17 | 100% |
| ip:port | 139[.]199[.]76[.]207:8080 | botnet_cc | 2026-06-17 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["143.92.43.231", "119.45.166.6", "139.199.76.207", "64.118.128.131", "143.92.43.153", "143.92.43.246", "156.244.9.19", "103.146.158.182", "139.84.150.251", "156.238.233.97", "159.75.152.237", "206.119.182.15"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["143.92.43.231", "119.45.166.6", "139.199.76.207", "64.118.128.131", "143.92.43.153", "143.92.43.246", "156.244.9.19", "103.146.158.182", "139.84.150.251", "156.238.233.97", "159.75.152.237", "206.119.182.15"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate system maintenance task runs a script that uses wget or curl to download a configuration file from an internal server.
Filter/Exclusion: Exclude processes initiated by cron or systemd with known maintenance scripts (e.g., /etc/cron.daily/ or /usr/lib/systemd/system/).
Scenario: Admin Task to Update VShell Configuration
Description: An administrator manually updates the VShell configuration using a script that interacts with the VShell API or downloads a config file from a trusted internal repository.
Filter/Exclusion: Exclude processes initiated by user root or admin with known configuration update scripts (e.g., /opt/vshell/configure.sh).
Scenario: Log Collection via Secure Tunnel
Description: A security tool like Logstash or Fluentd uses ssh or scp to securely transfer logs from a remote server to a central logging server.
Filter/Exclusion: Exclude processes involving ssh or scp with known log collection tools (e.g., logstash-agent, fluentd).
Scenario: Internal Software Update via HTTP
Description: A company’s internal software update system uses wget or curl to fetch updates from a private HTTP server.
Filter/Exclusion: Exclude processes that originate from internal IP ranges (e.g., 10.0.0.0/8, 192.168.0.0/16) and use known update tools (e.g., update.sh, patcher).
Scenario: Database Backup via SCP
Description: A nightly database backup job uses scp to transfer backup files from a database server to a backup server.