The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 9 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 60[.]204[.]141[.]204:9090 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 101[.]126[.]76[.]146:4443 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 1[.]95[.]118[.]186:8080 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 38[.]47[.]98[.]4:19999 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 206[.]188[.]196[.]221:8001 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 47[.]243[.]177[.]251:8083 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 8[.]134[.]216[.]105:8084 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 8[.]138[.]30[.]206:61617 | botnet_cc | 2026-05-24 | 100% |
| ip:port | 60[.]205[.]129[.]61:8080 | botnet_cc | 2026-05-24 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["8.134.216.105", "8.138.30.206", "60.204.141.204", "101.126.76.146", "60.205.129.61", "206.188.196.221", "1.95.118.186", "47.243.177.251", "38.47.98.4"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.134.216.105", "8.138.30.206", "60.204.141.204", "101.126.76.146", "60.205.129.61", "206.188.196.221", "1.95.118.186", "47.243.177.251", "38.47.98.4"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that uses vshell as part of a system maintenance process (e.g., log rotation or configuration backup).
Filter/Exclusion: Exclude processes initiated by the schtasks service or tasks with a known maintenance name (e.g., DailyLogCleanup).
Scenario: Admin User Performing Remote Management
Description: An admin user uses vshell to securely connect to a remote server for troubleshooting or configuration changes.
Filter/Exclusion: Exclude processes initiated by users with admin privileges and with a known legitimate command line (e.g., ssh -i key.pem user@host).
Scenario: Log File Analysis Job
Description: A scheduled job runs a script that uses vshell to parse and analyze log files for compliance or auditing purposes.
Filter/Exclusion: Exclude processes that access log files in standard directories like /var/log/ or use known log analysis tools (e.g., logrotate, splunk, ELK).
Scenario: Software Update Deployment
Description: A deployment tool uses vshell to push updates to remote servers as part of a patch management process.
Filter/Exclusion: Exclude processes that originate from a known patch management tool (e.g., WSUS, SCCM, Ansible) or use a specific update script name (e.g., update_script.sh).
Scenario: Database Backup via Secure Tunnel
Description: A database backup process uses vshell to establish a secure tunnel for transferring backup data to a remote storage system.
Filter/Exclusion: Exclude processes that involve known backup tools (e.g., mysqldump, pg_dump, Veeam) or use a