The ThreatFox: VShell IOCs rule detects potential adversary activity associated with the VShell malware, which is known for its persistence and lateral movement capabilities. SOC teams should proactively hunt for these IOCs in Azure Sentinel to identify and mitigate advanced threats that could compromise critical systems.
IOC Summary
Malware Family: VShell Total IOCs: 5 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 114[.]132[.]227[.]144:8084 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 134[.]175[.]250[.]157:18088 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 8[.]163[.]59[.]20:9999 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 118[.]107[.]219[.]184:8880 | botnet_cc | 2026-06-12 | 100% |
| ip:port | 223[.]72[.]204[.]47:8084 | botnet_cc | 2026-06-12 | 100% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - VShell
let malicious_ips = dynamic(["8.163.59.20", "118.107.219.184", "114.132.227.144", "134.175.250.157", "223.72.204.47"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["8.163.59.20", "118.107.219.184", "114.132.227.144", "134.175.250.157", "223.72.204.47"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: System backup process using rsync or tar that transfers files to a remote server
Filter/Exclusion: Exclude traffic to known backup servers or IP ranges used by the organization’s backup infrastructure.
Scenario: Scheduled job using cron or systemd to perform log rotation or file archiving
Filter/Exclusion: Exclude processes initiated by the root user or specific cron jobs associated with log management tools like logrotate.
Scenario: Admin task involving file transfer via scp or sftp for software updates or configuration synchronization
Filter/Exclusion: Exclude connections to internal file transfer servers or IPs within the organization’s internal network.
Scenario: Use of wget or curl by a legitimate monitoring tool (e.g., Nagios, Zabbix) to fetch external configuration files
Filter/Exclusion: Exclude traffic to known internal or external configuration management servers, or processes initiated by monitoring agents.
Scenario: Internal tool for database backups or data synchronization using mysqldump or pg_dump
Filter/Exclusion: Exclude processes that match known internal backup tools or use specific command-line arguments associated with backup operations.