The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that may have evaded initial detection mechanisms.
IOC Summary
Malware Family: VShell Total IOCs: 12 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 139[.]199[.]76[.]207:9090 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 124[.]222[.]37[.]250:8084 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 144[.]7[.]106[.]78:8084 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 43[.]228[.]79[.]138:9000 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 194[.]56[.]225[.]147:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 154[.]9[.]225[.]203:9999 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 106[.]75[.]236[.]163:18084 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 107[.]175[.]229[.]154:8084 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 112[.]121[.]165[.]46:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 112[.]121[.]165[.]44:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 112[.]121[.]165[.]45:80 | botnet_cc | 2026-06-16 | 100% |
| ip:port | 3[.]111[.]43[.]20:80 | botnet_cc | 2026-06-16 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["43.228.79.138", "112.121.165.45", "194.56.225.147", "144.7.106.78", "154.9.225.203", "112.121.165.44", "107.175.229.154", "112.121.165.46", "139.199.76.207", "106.75.236.163", "3.111.43.20", "124.222.37.250"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["43.228.79.138", "112.121.165.45", "194.56.225.147", "144.7.106.78", "154.9.225.203", "112.121.165.44", "107.175.229.154", "112.121.165.46", "139.199.76.207", "106.75.236.163", "3.111.43.20", "124.222.37.250"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate system update via yum or apt that includes VShell-related packages
Filter/Exclusion: Check for yum or apt commands with package names like vshell, vsftpd, or vsftpd-utils in the command line.
Scenario: Scheduled job for log rotation or system maintenance that uses logrotate or crontab
Filter/Exclusion: Filter events where the process name is logrotate or crontab, and exclude commands related to log management or system cleanup.
Scenario: Admin task involving file transfer using scp or rsync between internal servers
Filter/Exclusion: Exclude events where the source and destination are internal IP addresses, and the command includes scp or rsync with known internal hosts.
Scenario: Use of vsftpd for secure file transfer in a development environment
Filter/Exclusion: Filter for vsftpd process names and exclude traffic from known development servers or internal IP ranges.
Scenario: Automated backup script using rsync or tar that includes VShell configuration files
Filter/Exclusion: Exclude events where the command includes tar, rsync, or backup in the command line, and the source is a known backup directory.