The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats before they cause significant damage to the environment.
IOC Summary
Malware Family: VShell Total IOCs: 33 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]88[.]102[.]34:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]102[.]33:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]62:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]61:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]59:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]58:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]57:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]56:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]56:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]57:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]59:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]60:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]61:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]62:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]96[.]39:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]96[.]46:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]102[.]37:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]102[.]36:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 82[.]156[.]228[.]128:50001 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]99[.]60:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]99[.]37:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]51:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]35:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]103[.]44:8884 | botnet_cc | 2026-06-02 | 100% |
| ip:port | 154[.]88[.]101[.]60:8884 | botnet_cc | 2026-06-02 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["154.88.103.35", "154.88.103.60", "154.88.101.62", "154.88.101.59", "154.88.101.61", "154.88.103.59", "154.88.103.61", "154.88.102.37", "154.88.101.58", "154.88.103.57", "154.88.99.60", "154.88.96.46", "154.88.103.44", "154.88.102.36", "154.88.100.45", "154.88.99.37", "154.88.103.54", "154.88.101.56", "154.88.102.33", "154.88.103.56", "154.88.103.62", "154.88.101.60", "45.63.120.124", "122.10.52.27", "154.88.103.51", "154.88.103.55", "154.88.101.57", "101.43.2.89", "154.88.96.39", "154.88.103.53", "82.156.228.128", "154.88.102.34", "154.88.100.52"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["154.88.103.35", "154.88.103.60", "154.88.101.62", "154.88.101.59", "154.88.101.61", "154.88.103.59", "154.88.103.61", "154.88.102.37", "154.88.101.58", "154.88.103.57", "154.88.99.60", "154.88.96.46", "154.88.103.44", "154.88.102.36", "154.88.100.45", "154.88.99.37", "154.88.103.54", "154.88.101.56", "154.88.102.33", "154.88.103.56", "154.88.103.62", "154.88.101.60", "45.63.120.124", "122.10.52.27", "154.88.103.51", "154.88.103.55", "154.88.101.57", "101.43.2.89", "154.88.96.39", "154.88.103.53", "82.156.228.128", "154.88.102.34", "154.88.100.52"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a script that interacts with network shares or system logs, triggering VShell IOCs due to similar network activity.
Filter/Exclusion: Exclude events where the process is schtasks.exe and the command line includes schtasks /run or maintenance in the script name.
Scenario: Admin Performing Log Collection via PowerShell
Description: An administrator uses PowerShell to collect logs from remote servers, which may involve similar network connections or file access patterns as VShell.
Filter/Exclusion: Exclude events where the process is powershell.exe and the command line includes -Command with Get-EventLog or Get-WinEvent.
Scenario: Automated Backup Job Using Robocopy
Description: A backup job using robocopy transfers files across the network, which may match VShell’s network IOCs due to similar file transfer patterns.
Filter/Exclusion: Exclude events where the process is robocopy.exe and the command line includes /Z or /R:3 for resumable transfers.
Scenario: Database Replication or Synchronization Task
Description: A database replication task (e.g., using SQL Server Agent) may involve network communication that resembles VShell’s IOCs.
Filter/Exclusion: Exclude events where the process is sqlservr.exe or sqlagent.exe and the command line includes replication or backup keywords.
Scenario: Security Software Performing Network Scanning
Description: A security tool like Wireshark or Nmap is used for network analysis, which may generate network traffic similar to VShell’s IOCs.
Filter/Exclusion: Exclude events where the process is wireshark.exe,