The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: VShell Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 39[.]100[.]89[.]103:8085 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 154[.]88[.]96[.]50:8884 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 49[.]235[.]130[.]208:10002 | botnet_cc | 2026-06-09 | 100% |
| ip:port | 85[.]209[.]48[.]248:8443 | botnet_cc | 2026-06-09 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["154.88.96.50", "49.235.130.208", "39.100.89.103", "85.209.48.248"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.88.96.50", "49.235.130.208", "39.100.89.103", "85.209.48.248"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using VShell
Description: A legitimate scheduled backup job uses VShell to transfer data between servers.
Filter/Exclusion: Exclude traffic where the source is a known backup server and the destination is a backup storage system.
Example Filter: src_ip IN (10.10.10.10, 10.10.10.11) AND dst_ip IN (10.10.10.20, 10.10.10.21)
Scenario: Admin Task to Transfer Configuration Files
Description: An administrator uses VShell to manually transfer configuration files between servers during routine maintenance.
Filter/Exclusion: Exclude traffic initiated by admin accounts (e.g., user = admin) and involving known configuration directories (e.g., /etc/, /var/config/).
Example Filter: user IN (admin, root) AND file_path IN ("/etc/", "/var/config/")
Scenario: Log File Transfer Between Servers
Description: A log aggregation system uses VShell to transfer log files between servers for centralized logging.
Filter/Exclusion: Exclude traffic where the file path contains “logs” or “log” and the destination is a centralized log server.
Example Filter: file_path CONTAINS "logs" AND dst_ip = 10.10.10.30
Scenario: Database Replication Using VShell
Description: A database replication process uses VShell to synchronize data between primary and secondary databases.
Filter/Exclusion: Exclude traffic involving database-specific directories (e.g., /var/lib/mysql/, /opt/oracle/) and between known database servers.
Example Filter: `file_path CONTAINS “mysql”