3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
VShell

VShell

ID: e2e1fcdd390249b8977a82bb5c948b8684635
Crimeware RAT Trojan
Threat types: Malware, Tooling, Post-Exploitation
Unknown
Updated: 2026-03-03
Created: 2026-02-23
Progress: 64% Completeness: 61% Freshness: 70%
Operation zone:
Aliases Limited alias preview
No aliases registered.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

VShell is a malware/tooling cluster referenced in public reporting as both a post-exploitation remote control framework and a Linux-focused fileless backdoor chain. It is primarily relevant as an intrusion enabler (access, control, tunneling) observed in China-nexus activity and exploitation-driven compromises.


Technique Technique name Tactics Evidence
T1190 Exploit Public-Facing Application TA0001
  • 2026-02-19 — Public reporting describes active exploitation of BeyondTrust Remote Support / Privileged Remote Access leading to post-exploitation tooling deployment, including VShell. · ref
T1505.003 Web Shell TA0003
  • 2026-02-19 — Post-exploitation activity includes deployment of web shells as part of the compromise workflow associated with the exploited platform. · ref
T1566.001 Spearphishing Attachment TA0001
  • 2025-08-21 — A Linux infection chain is described that begins with a phishing email delivering a malicious RAR archive, enabling execution through filename-embedded payloads. · ref
T1059.004 Unix Shell TA0002
  • 2025-08-21 — The delivery chain leverages Bash execution via command injection / base64-decoded Bash payload triggered through common shell scripting patterns. · ref
T1027 Obfuscated Files or Information TA0005
  • 2025-08-21 — Obfuscation via base64-encoded Bash payloads and encoded command content embedded in filenames is described for the Linux chain. · ref
  • 2025-09-05 — Detection guidance focuses on identifying base64-encoded bash commands embedded in attachment filenames as a fileless execution trigger technique. · ref
T1036 Masquerading TA0005
  • 2025-08-21 — Masquerading behavior is described where userland malware presents as kernel-worker-like process names to reduce suspicion. · ref
T1105 Ingress Tool Transfer TA0011
  • 2025-04-15 — Campaign analysis describes downloader behavior that retrieves multiple executables and stages follow-on tooling for persistence and control. · ref
T1071.001 Web Protocols TA0011
  • 2025-04-15 — Reported infrastructure and tooling use web protocols for command-and-control and payload delivery in VShell-associated campaigns. · ref
T1090 Proxy TA0011
  • 2025-04-15 — INFERENCE (confidence: medium): Reporting discusses tunneling/forwarding components used alongside VShell/SNOWLIGHT, consistent with proxying traffic through compromised hosts. · ref
T1583.001 Domains TA0042
  • 2025-07-19 — Infrastructure analysis expands IOC sets using DNS-connected artifacts, indicating adversary use of multiple domains/subdomains as part of campaigns. · ref
Strategic Intelligence
Limited preview
Last updated: 2026-02-23T20:26:32+00:00

VShell - Malware/Tooling (TLP:WHITE)



Executive Summary

VShell is referenced in public reporting as (at least) two overlapping things: (1) a China-nexus post-exploitation framework/remote control tooling referred to as “VShell”, and (2) a Go-based Linux backdoor delivered via a filename-weaponized RAR infection chain (often discussed alongside SNOWLIGHT). Public sources also use “vshell” loosely when talking about generic web shells, which creates attribution and detection confusion.

This dossier treats VShell as a malware/tooling cluster with two sub-clusters: VShell (post-exploitation framework) and VShell (Linux fileless backdoor). Where a claim is tied to a specific reporting thread, it is explicitly scoped and cross-referenced by OSINT IDs in the OSINT Library.


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Saved Limited preview

Executive Analyst Brief for Decision Makers — VShell

Upgrade to access the full executive brief.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Saved Limited preview

Hunting Playbook — VShell (Tooling Cluster)


Upgrade to access the full hunting playbook.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Saved Limited preview
Last updated: 2026-02-23T19:43:03+00:00

IOC Appendix — VShell


More IOC context for Research. Full appendix for Analyst and Premium plans.
IOC Appendix now
Saved successfully.
OSINT Library
Saved Limited preview
Last saved: 2026-02-23T20:17:09+00:00

OSINT Library — VShell


2026-02-19 — Palo Alto Networks Unit 42 — “VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)”

Full OSINT references available for Research / Analyst.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.