By rssfeeds-admin 
Originally marketed as a non-malicious remote management platform, Vshell offers powerful post-compromise capabilities, including network pivoting and proxying.
However, public project materials and real-world investigations show that it is now being used in unauthorized intrusions.
At its core, Vshell functions as a full command-and-control (C2) framework for managing Windows and Linux systems.
It follows a similar architecture to Cobalt Strike, with a centralized controller (often called a teamserver) that manages multiple remote clients.
The tool allows operators to execute commands, transfer files, tunnel traffic, and move laterally inside compromised networks.
Early versions of Vshell, first released in 2021, described the project as a remote access tool (RAT). Over time, later versions rebranded it as an easier alternative to commercial red-team frameworks.
In fact, one release tagline openly suggested users try Vshell if they found Cobalt Strike difficult to use.
The tool is especially common in Chinese-speaking offensive security communities, where it is used by researchers, red teams, and increasingly, cybercriminal groups.
Since 2022, Vshell has rebased parts of its code on the open-source proxy tool NPS, expanding its tunneling and network pivoting features.
Development has evolved through several versions, with v4 introducing licensing changes, interface redesigns, and additional communication protocols. Public releases reportedly ended in 2024, suggesting possible private development.
Vshell has been linked to several real-world campaigns in 2025, including Operation DRAGONCLONE and the SNOWLIGHT campaign attributed to UNC5174. Security firm Trellix also reported a phishing campaign that delivers fileless VShell infections.
Technical Capabilities and Exposure Trends
Vshell supports multiple “listeners,” which are services that accept inbound connections from infected hosts. These listeners commonly default to TCP port 8084, but the platform supports a wide range of protocols.
Options include TCP, KCP/UDP, WebSocket, DNS, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and even object storage services such as Amazon S3. This flexibility allows attackers to blend malicious traffic with legitimate network activity.
Internet scanning data from Censys shows that exposed Vshell panels periodically appear online, sometimes revealing hundreds of connected clients.
In one recovered example, a panel displayed 286 attached agents, each capable of acting as a relay for lateral movement or proxy traffic.
| Listener Type | Default Address | Purpose |
|---|---|---|
| TCP | 0.0.0.0:8084 | Basic TCP comms |
| KCP/UDP | 0.0.0.0:8084 | Fast UDP over KCP |
| WebSocket | ws://0.0.0.0:8084/ws | HTTP-based C2 |
| DNS | 0.0.0.0:53 | DNS tunneling |
| DOH | 0.0.0.0:53 | DNS-over-HTTPS |
| DOT | 0.0.0.0:53 | DNS-over-TLS |
| OSS | S3 bucket URL | Object storage exfil |
Security experts warn that Vshell reflects a broader trend: dual-use red-team frameworks are increasingly repurposed for real-world attacks.
As attackers move away from heavily monitored tools like Cobalt Strike, alternatives like Vshell are quickly filling the gap, creating new challenges for defenders worldwide.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Vshell Emerges As New Favorite Tool Among Cyber Threat Actors appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.