New Research!. We have found an interesting campaign targeting an entity of Chinese telecom with VELETRIX implant. The implant uses anti-sandbox, shellcode obfuscation technique via IPV4 and execution via EnumCalendarInfo leading to Vshell implant.

#opendir 106.14.176.]208. Is hosting several suspicious ELF files communicating w/ the above IP on port 7744 and frp, likely to proxy traffic. RingQ, an open-source Windows shellcode generator, is also present. A week ago, Vshell was also detected on this IP on port 8082.

▪ http://148.135.120[.]162:8443/ #opendir with Go2bypass and something else 🤔. 🔸 "svchost.exe": 28e318a9ed1580a14ef9b6a71d6a0ec5031aae9d2b748b2ed70c67cfa24a85b4 (Go2bypass).🔸 "ws_linux_amd64": 6ce0e2df1698a965627bd7afa2cf58a86cdb3cc691a150b0ad0e19eaa49c0481 (VShell?).🔸

我去 我刚还在看vshell更新的咋回事

#threatreport #LowCompleteness.Hunting China-Nexus Threat Actor | 13-07-2025.Source: Key details below ↓. 🧑‍💻Actors/Campaigns:.Earth_alux.Dragonclone. 💀Threats:.Cobalt_strike_tool, Vshell, Supershell, Havoc, Sliver_c2_tool, Brc4_tool, .🏭Industry: Telco,

A Chinese-speaking threat actor quietly breached U.S. local gov systems via a critical flaw in Cityworks. They didn’t just break in , they stayed- deploying Cobalt Strike & VShell via Rust-based TetraLoader.

⚠️ A Chinese-speaking threat actor quietly breached U.S. local gov systems via a critical flaw in Cityworks. They didn’t just break in—they stayed—deploying Cobalt Strike & VShell via Rust-based TetraLoader. Full report →

VShell⚙️.▶️These variants are initialized by requesting a payload in a similar way.⏫Sending the OS version as the first client packet, the C2 address as the second packet .⏬Receiving the XOR encrypted payload with 0x99 byte.🔃Further in the communication protocols with C2 there

👹 Vshell web panel . IP : 114.132.226[.]247 .AS 45090( Shenzhen Tencent Computer Systems Company Limited ). Low detection on @virustotal . more Vshell panels detected by #C2Watcher on

welp expect an influx of VShell samples

#threatreport #MediumCompleteness.UAT-6382 exploits Cityworks zero-day vulnerability to deliver malware | 22-05-2025.Source: Key details below ↓. 🧑‍💻Actors/Campaigns:.Uat-6382. 💀Threats:.Antsword, Chinachopper, Cobalt_strike_tool, Vshell, Tetraloader,

JPCERT/CC details a sophisticated, ongoing malware campaign exploiting Ivanti Connect Secure (CVE-2025-0282, -22457) using MDifyLoader, Cobalt Strike, vshell, and Fscan for stealthy persistent access. #IvantiHack #Cybersecurity #MalwareCampaign #APTAttack.

UNC5174, a Chinese-linked threat group, has upgraded its toolkit with open-source tools SNOWLIGHT and VShell, expanding C2 infrastructure. Recent analysis reveals 25 IoCs, including domains and IPs globally active in attacks. #UNC5174 #China.

#threatreport #HighCompleteness.Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX & VShell malware | 06-06-2025.Source: Key details below ↓. 🧑‍💻Actors/Campaigns:.Dragonclone.Unc5174.Earth_lamia. 💀Threats:.Veletrix, Vshell,

🚨 #C2 #Malware alert! #Vshell detected:. hxxp://38[.]207[.]178[.]156:8082/login/index . cc:@abuse_Ch . #CyberSecurity #Infosec #ThreatAlert #C2 #Malware

0 detection.Cloudflare Security Authenticator.dmg.c5686b85efb3ebf2ce07dba4192195c3dac7c335a371b7bcfbf52d5fb15cb507.#vshell

中国語圏ハッカー のUAT-6382が、現在パッチが適用されているTrimble Cityworksのゼロデイ脆弱性を悪用し米国各地の複数の地方自治体に侵入した❗️. UAT-6382 は Cobalt Strike ビーコンと VSHell マルウェアおよび中国語で書かれた Web シェルとカスタムツールを使用した. 彼らは米国解体を目指してる

FROM SNOWLIGHT TO VSHELL: CHINESE HACKERS EVOLVE THEIR DNS ARSENAL.—.UNC5174, a Chinese state-linked group, has shifted tactics, adopting VShell for stealthier DNS-based attacks, expanding its infrastructure and indicators of compromise across borders. Learn more:

今日決着が着きます.カナトの企画 ＶＳHell.みんなきてねヘ(°◇、°)ノ