The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 16 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 154[.]88[.]99[.]62:8884 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 124[.]222[.]65[.]141:8089 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 101[.]34[.]249[.]170:8085 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 118[.]195[.]197[.]228:6651 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 192[.]210[.]215[.]182:3308 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 154[.]88[.]96[.]38:8884 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 3[.]36[.]117[.]91:81 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 8[.]145[.]40[.]223:8084 | botnet_cc | 2026-06-05 | 50% |
| ip:port | 130[.]94[.]33[.]140:8080 | botnet_cc | 2026-06-05 | 50% |
| ip:port | 79[.]133[.]56[.]151:18084 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 111[.]229[.]188[.]75:8084 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 154[.]83[.]16[.]73:8899 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 47[.]92[.]122[.]207:8084 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 154[.]88[.]96[.]34:8884 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 61[.]110[.]5[.]174:33061 | botnet_cc | 2026-06-05 | 100% |
| ip:port | 216[.]128[.]154[.]222:80 | botnet_cc | 2026-06-05 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["47.92.122.207", "154.83.16.73", "8.145.40.223", "111.229.188.75", "154.88.96.34", "3.36.117.91", "130.94.33.140", "124.222.65.141", "154.88.96.38", "216.128.154.222", "118.195.197.228", "79.133.56.151", "192.210.215.182", "61.110.5.174", "101.34.249.170", "154.88.99.62"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["47.92.122.207", "154.83.16.73", "8.145.40.223", "111.229.188.75", "154.88.96.34", "3.36.117.91", "130.94.33.140", "124.222.65.141", "154.88.96.38", "216.128.154.222", "118.195.197.228", "79.133.56.151", "192.210.215.182", "61.110.5.174", "101.34.249.170", "154.88.99.62"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Backup Using VShell
Description: A legitimate scheduled backup job uses VShell to transfer data to a secure offsite location.
Filter/Exclusion: process.name != "vshell" OR process.name == "vshell" AND event.type == "file_transfer" AND destination_ip IN (list_of_backup_servers)
Scenario: Admin Task to Transfer Configuration Files
Description: An administrator uses VShell to securely transfer configuration files between servers during routine maintenance.
Filter/Exclusion: process.name == "vshell" AND event.type == "file_transfer" AND source_ip IN (list_of_admin_servers) AND destination_ip IN (list_of_config_servers)
Scenario: Log File Transfer for Monitoring Purposes
Description: A log aggregation tool uses VShell to transfer logs from multiple servers to a centralized logging server.
Filter/Exclusion: process.name == "vshell" AND event.type == "file_transfer" AND file_name LIKE "%log%" AND destination_ip == "central_log_server"
Scenario: Secure File Sync Between Development Environments
Description: Developers use VShell to synchronize code between development and staging environments.
Filter/Exclusion: process.name == "vshell" AND event.type == "file_transfer" AND source_ip IN (dev_servers) AND destination_ip IN (staging_servers)
Scenario: Internal Network Monitoring Tool Using VShell
Description: A network monitoring tool uses VShell to fetch metrics or logs from monitored hosts.
Filter/Exclusion: process.name == "vshell" AND event.type == "file_transfer" AND source_ip IN (monitoring_servers) AND destination_ip IN (monitored_hosts)