VShell
VShell is a remote access trojan/backdoor, commonly described as a Go-based implant, used primarily by Chinese or China-nexus threat actors for post-exploitation access on compromised systems, especially Linux servers. Reported capabilities include remote access, reverse shell functionality, file operations, process management, lateral movement support, and TCP/UDP port forwarding or tunneling. Multiple reports describe encrypted or obfuscated command-and-control communications, including custom XOR-based mechanisms.
Observed delivery and execution chains show VShell being staged by loaders such as SNOWLIGHT/SNOWRUST and architecture-specific ELF loaders. In Linux-focused campaigns, attackers used Bash downloaders to fetch loaders that contacted hardcoded C2 infrastructure, received XOR-encrypted payloads, decrypted them in memory, and executed the final VShell payload via memfd_create or fexecve while masquerading as kernel worker processes such as [kworker/0:2]. One Trellix-documented infection chain used a weaponized RAR archive with a malicious filename that triggered Bash execution through unsafe shell handling, followed by Base64 decoding, architecture-aware payload delivery, and fileless in-memory execution. BI.ZONE also documented React2Shell exploitation campaigns in which a script from 107.173.89[.]153:60051 downloaded VShell loaders that decrypted the Go-based backdoor with XOR key 0x99 and executed it from memory; the embedded configuration used server 107.173.89[.]153:60051 with vkey and salt qwe123qwe111.
VShell has been observed in exploitation of internet-facing vulnerabilities and in broader intrusion operations. Reporting ties it to campaigns exploiting CVE-2025-55182 (React2Shell), where Microsoft and BI.ZONE observed payloads including VShell on compromised Linux and Windows environments. Palo Alto Networks Unit 42 reported attackers exploiting CVE-2026-1731 in BeyondTrust Remote Support to deploy vShell and SparkRAT, alongside reconnaissance, remote management tooling, tunneling tools, and in some cases data theft. UNC5174 was reported exploiting vulnerable SAP NetWeaver systems to deploy SNOWLIGHT, VShell, and the Goreverse SSH backdoor.
Threat actor associations in the provided content consistently link VShell to Chinese/China-nexus activity. It is described as widely adopted by Chinese hacking groups and specifically associated with UNC5174, UAT-8302, Earth Lamia, Jackpot Panda, and other China-aligned clusters. Cisco Talos reported UAT-8302 deploying VShell alongside NetDraft and CloudSorcerer against government entities in South America and southeastern Europe. Trend Micro listed VShell among related families in SHADOW-EARTH-053 reporting. Some public reporting also noted Greek government warnings referencing VShell in the context of suspicious activity tied to the Iran war, but the content does not establish attribution of VShell itself to Iranian actors.
Targeting reflected in the content includes government, defense, technology, transportation, and critical infrastructure organizations, with regions including South Asia, Southeast Asia, East Asia, South America, southeastern Europe, and in some reporting Western organizations. Known indicators directly mentioned in the content include C2/download infrastructure 107.173.89[.]153:60051 and 47.98.194.60; XOR key 0x99 used by multiple loaders; anti-reinfection marker /tmp/log_de.log; dropped path /tmp/db946be9tcp; Trellix-listed SHA-256 73000ab2f68ecf2764af133d1b7b9f0312d5885a75bf4b7e51cd7b906b36e2d4 for a final VShell backdoor; and VELETRIX-linked infrastructure including 62.234.24.38:9999, with related samples using 121.37.80.227 and 156.238.236.130. Separate reporting on a crypto-focused intrusion also observed a VShell server on port 8082, identified as version 4.9.3.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction. | A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance...
The attackers downloaded the Bash script from hxxp://107.173.89[.]153:60051/slt ... These functionally identical executables serve as loaders for the VShell backdoor. | The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.
SNOWLIGHT: A generic stager for the VSHELL malware family, used by UAT-8302. Also used by UAT-6382, who exploited a Cityworks zero-day (CVE-2025-0994) to deploy VSHELL. | In other instances, UAT-8302 deploys the VSHELL malware... The payload is a stager for the VSHELL malware... UNC5174 has been observed using SNOWLIGHT to download Sliver and VSHELL.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Forensic analysis identified a vulnerable Jenkins server (CVE-2024–23897) exposed on the internet as the source of the compromise. The latter served as the initial access for the threat actor...
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
successfully exploited CVE-2025-0944
Groups observed using it
12 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.
SNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
SNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
SNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
VELETRIX carries a VShell shellcode which is an Offensive Security Tool, like Meterpreter, Cobalt Strike among others, which means that, when executed, it will communicate with the Command and Control server.
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
After gaining access, the operators deployed SnakeC2, NEOBEACON (which abuses OneDrive and the Microsoft Graph API for C2), Cobalt Strike, VShell, and SoftEther VPN.
After gaining access, the operators deployed SnakeC2, NEOBEACON (which abuses OneDrive and the Microsoft Graph API for C2), Cobalt Strike, VShell, and SoftEther VPN.
"CVE-2026-1731 (BeyondTrust) is associated with HAFNIUM and linked to Lumma Stealer, SparkRAT, and VShell malware deployments."
Among the tools put to use by the threat actor are command-and-control (C2) frameworks... VShell
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesA critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity ... Multiple BeyondTrust Remote Support users have been confirmed targets ... The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
"Typically, VShell is distributed through phishing campaigns..."
The attack begins with a spam email disguised as a beauty product survey invitation... Crucially, the email includes a .rar archive attachment (yy.rar)...
Execution
5 techniquesUAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it.
Stage 1: Script triggers execution through Bash script interaction (e.g., for f in * ) leads to auto-execution of the embedded Base64 downloader. The filename evaluates to a Base64-decoded command piped to bash.
VELETRIX’s main function is to start the dynamic API loading routine with LoadLibraryA and GetProcAddress... The first action to be performed is to collect the kernel32.dll DLL by accessing the memory structures through the PEB.
The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.
Once extracted, the archive contains a file with a specially crafted filename, which silently triggers malicious behavior during directory enumeration or scripting.
Persistence
1 techniquePrivilege Escalation
2 techniquesThe decrypted shellcode is then injected into a combination of specified benign processes... If the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into dpapimg.exe, spoolsv.exe, etc.
Stealth
6 techniquesThe payload isn’t hidden inside the file content or a macro, it's encoded directly in the filename itself... The XOR key used is 0x99, a simple but effective method for evading static inspection.
The decrypted payload (VShell) is executed directly from memory using fexecve()... It is renamed in memory to look like a legitimate Linux kernel thread: [kworker/0:2].
The decrypted shellcode is then injected into a combination of specified benign processes... If the process is named “mspaint.exe”, “browser”, or anything else, it will proceed to inject itself into dpapimg.exe, spoolsv.exe, etc.
The loader decrypts this payload using a XOR operation with the key 0x99 ... kxnzl4mtez.js decrypted the 1d5j6rm2mg2d file using AES-256-CBC ... configuration data is decrypted using the AES-128-CBC algorithm
UAT-8302 used VSHELL to deploy a native driver from the Hades HIDS/HIPS software ... This allows the driver to monitor the system and potentially allow, block, or hide events and artifacts.
The loader decrypts this payload using a XOR operation with the key 0x99. The decrypted payload is then executed from an anonymous file descriptor created with memfd_create, as a [kworker/0:2] process.
Lateral Movement
1 technique"...allowing them to control compromised systems remotely. These include executing arbitrary commands..."
Command and Control
5 techniquesIt also said some of the suspicious activity was linked to Iranian IP addresses and that Greek officials assessed the hostile infrastructure as including at least two layers, suggesting a more deliberate setup than routine background scanning.
The binary sets up an HTTP GET request to the Command & Control (C2) server.
The loader connects to the server 107.173.89[.]153:60051 via a TCP socket.
Stage 2: Script detects system architecture and downloads the matching ELF loader binary... Stage 3: ELF binary connects to a hardcoded C2 and retrieves an XOR-encrypted payload.
That report said the alert referenced suspicious IP addresses, tools, and malware including the VShell remote access trojan
Exfiltration
1 technique"It can facilitate unauthorized access, enable data exfiltration..."
IOCs tracked for this family
65 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
77 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based Linux backdoor that provides reverse shell access, remote file operations, process management, port forwarding/tunneling, stealthy in-memory execution via fexecve(), process masquerading as kernel threads, encrypted/custom HTTP-based C2 communication, and multi-architecture support.
Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure Regions Targeted: South Asia, Southeast Asia, East Asia Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell
Linux malware delivered via weaponized archive filenames and unsafe shell behavior that triggers Bash execution, Base64 decoding, architecture-aware payload delivery, and in-memory execution while masquerading as legitimate kernel worker processes for stealth.
Implant/backdoor used by UAT-8302 as part of its post-compromise toolkit for maintaining access in victim environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.