ThreatFox: VShell IOCs

Hunt Hypothesis

The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have already bypassed initial detection mechanisms.

IOC Summary

Malware Family: VShell Total IOCs: 119 IOC Types: ip:port

Type	Value	Threat Type	First Seen	Confidence
ip:port	43[.]167[.]11[.]88:8084	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]98[.]43:8884	botnet_cc	2026-06-03	100%
ip:port	114[.]134[.]189[.]226:8084	botnet_cc	2026-06-03	100%
ip:port	1[.]95[.]163[.]22:8080	botnet_cc	2026-06-03	100%
ip:port	47[.]97[.]201[.]164:18084	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]47:8884	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]52:8884	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]46:8884	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]45:8884	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]49:8884	botnet_cc	2026-06-03	100%
ip:port	154[.]88[.]103[.]50:8884	botnet_cc	2026-06-03	100%
ip:port	45[.]136[.]14[.]91:80	botnet_cc	2026-06-03	75%
ip:port	192[.]227[.]167[.]203:8080	botnet_cc	2026-06-03	75%
ip:port	103[.]114[.]163[.]67:2087	botnet_cc	2026-06-03	75%
ip:port	154[.]88[.]102[.]47:8884	botnet_cc	2026-06-03	75%
ip:port	134[.]122[.]154[.]92:2086	botnet_cc	2026-06-03	75%
ip:port	146[.]56[.]248[.]54:8080	botnet_cc	2026-06-03	75%
ip:port	198[.]13[.]38[.]179:8080	botnet_cc	2026-06-03	75%
ip:port	23[.]95[.]48[.]221:8080	botnet_cc	2026-06-03	75%
ip:port	8[.]134[.]70[.]73:8112	botnet_cc	2026-06-03	75%
ip:port	107[.]175[.]81[.]40:7105	botnet_cc	2026-06-03	75%
ip:port	107[.]149[.]176[.]221:3000	botnet_cc	2026-06-03	75%
ip:port	45[.]77[.]220[.]145:8080	botnet_cc	2026-06-03	75%
ip:port	192[.]3[.]98[.]166:55555	botnet_cc	2026-06-03	75%
ip:port	116[.]63[.]105[.]66:80	botnet_cc	2026-06-03	75%

KQL: Ip Hunt

// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["103.179.44.239", "45.202.210.114", "154.88.102.43", "154.88.102.62", "43.167.11.88", "154.88.100.62", "115.29.202.62", "154.88.102.41", "154.88.99.33", "117.50.220.61", "154.88.102.46", "64.111.93.243", "45.77.220.145", "154.88.102.61", "154.88.102.50", "154.88.102.49", "107.173.144.112", "110.42.239.240", "45.77.28.40", "66.154.104.53", "154.88.102.58", "192.3.98.166", "130.94.16.122", "194.213.18.117", "149.28.30.98", "148.66.8.67", "1.95.163.22", "116.62.172.147", "13.212.206.34", "154.88.102.42", "154.88.103.49", "154.88.103.43", "193.112.200.118", "107.175.81.40", "172.245.80.41", "114.134.189.226", "198.13.38.179", "154.88.101.33", "117.72.79.131", "101.34.60.206", "154.88.102.51", "47.79.99.24", "38.165.20.79", "154.88.103.34", "8.218.114.253", "103.110.221.162", "149.30.247.60", "154.88.103.46", "43.247.135.106", "23.95.48.221"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc

KQL: Ip Hunt Device

// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["103.179.44.239", "45.202.210.114", "154.88.102.43", "154.88.102.62", "43.167.11.88", "154.88.100.62", "115.29.202.62", "154.88.102.41", "154.88.99.33", "117.50.220.61", "154.88.102.46", "64.111.93.243", "45.77.220.145", "154.88.102.61", "154.88.102.50", "154.88.102.49", "107.173.144.112", "110.42.239.240", "45.77.28.40", "66.154.104.53", "154.88.102.58", "192.3.98.166", "130.94.16.122", "194.213.18.117", "149.28.30.98", "148.66.8.67", "1.95.163.22", "116.62.172.147", "13.212.206.34", "154.88.102.42", "154.88.103.49", "154.88.103.43", "193.112.200.118", "107.175.81.40", "172.245.80.41", "114.134.189.226", "198.13.38.179", "154.88.101.33", "117.72.79.131", "101.34.60.206", "154.88.102.51", "47.79.99.24", "38.165.20.79", "154.88.103.34", "8.218.114.253", "103.110.221.162", "149.30.247.60", "154.88.103.46", "43.247.135.106", "23.95.48.221"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc

Required Data Sources

Sentinel Table	Notes
CommonSecurityLog	Ensure this data connector is enabled
DeviceNetworkEvents	Ensure this data connector is enabled

References

• ThreatFox — VShell

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate scheduled task runs a script that uses a tool like tar or gzip to archive log files, which may trigger the VShell IOC due to similar command-line patterns.
  Filter/Exclusion: Exclude processes initiated by the at or cron scheduler, or filter by command-line arguments containing --archive, --compress, or --gzip.

• Scenario: Admin Performing Log Rotation
  Description: An administrator uses logrotate to manage log files, which may involve temporary file creation or manipulation that resembles VShell behavior.
  Filter/Exclusion: Exclude processes with the logrotate binary or those running under the root user with logrotate in the command line.

• Scenario: Database Backup Using mysqldump
  Description: A database administrator uses mysqldump to create backups, which may involve temporary files or command-line arguments that match VShell IOCs.
  Filter/Exclusion: Exclude processes where the command line includes mysqldump or where the user is a database admin (e.g., mysqladmin or db_user).

• Scenario: Software Update via apt or yum
  Description: A system update via apt or yum may involve temporary files or package extraction that could be flagged by the VShell detection rule.
  Filter/Exclusion: Exclude processes with apt, apt-get, yum, or dnf in the command line, or filter by user root or sudo.

• Scenario: Network Configuration Tool Usage
  Description: A network administrator uses tools like ifconfig, ip, or nmcli to configure interfaces, which may involve file operations or command-line patterns similar to