Digital Forensics & Incident Response
NVISO analyzes VShell post-exploitation tool
Von Maxime
November 5, 2025
Backdoor
Report
UNC5174

VShell, a Chinese-language intrusion tool, has increasingly been sighted over the last year, primarily used for long-term espionage activities. As part of NVISO's Threat Intelligence efforts, we have actively been tracking VShell infrastructure for months and notified affected victims worldwide with outstanding support from Team Cymru.

This report exposes how VShell works, which actors use it, and why it poses a cyber threat. With this, NVISO highlights the importance of proactive defensive measures against VShell, urging organizations to deploy network and endpoint detection strategies, strengthen vulnerability management, and enhance threat intelligence-informed detection capabilities.

We share global infrastructure tracking techniques, tools to decrypt VShell communications, and insights into attacker behaviors to strengthen threat detection and incident response capabilities.

VShell malware first appeared on NVISO’s radar during our Digital Forensics and Incident Response work across Europe. During these engagements, we traced the intrusion infrastructure and identified the command-and-control systems driving the campaigns. With support from Team Cymru, we uncovered the global scale and widespread usage of this infrastructure, with increased activity in South America, Africa and APAC regions.

Several intrusions involving VShell malware have been publicly attributed to UNC5174, a suspected initial access broker linked to China’s Ministry of State Security. This actor has been repeatedly observed exploiting public-facing systems. However, the widespread and public availability of VShell alongside our observation of usage by multiple state-aligned and independent actors demonstrate that VShell's deployment cannot be exclusively attributed to UNC5174.

Through this research, NVISO assesses that VShell should be considered as another tool within the broader attacker ecosystem. While tooling like VShell develops and changes over the years, espionage driven activity remains firmly seated as an important threat to both public and private organizations.

NVISO's Managed Detection & Response customers have benefited from pro-active hunting within their environments, with any suspicious activity reported through the established escalation channels.

Read how NVISO tracks VShell infrastructure

Learn about VShell!

As part of its mission to protect, NVISO provides the following network signatures in an actionable format. More information about these rules can be found our VShell report.

Network detection rule for VShell's Windows stager activity

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Windows amd64)"; flow:to_server,established; content:"w64   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Windows; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000000; rev:1; metadata:affected_product Windows_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Windows i386)"; flow:to_server,established; content:"w32   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Windows; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000001; rev:1; metadata:affected_product Windows_32_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[NVISO] VShell beacon payload response (Windows)"; flow:to_client,established; flowbits:isset,NVISO.VShell.Windows; content:"|d4 c3|";  offset:0; depth:2; content:"|b8 cd f1 f0 ea b9 e9 eb f6 fe eb f8 f4 b9 fa f8 f7 f7 f6 ed b9 fb fc b9 eb ec f7 b9 f0 f7 b9 dd d6 ca b9 f4 f6 fd fc b7|"; fast_pattern; offset:77; depth:40; flowbits:unset,NVISO.VShell.Windows; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000002; rev:1; metadata:affected_product Windows_32_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity High, confidence High, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

Network detection rule for VShell's Linux stager activity

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Linux amd64)"; flow:to_server,established; content:"l64   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Linux; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000003; rev:1; metadata:affected_product Linux_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Linux i386)"; flow:to_server,established; content:"l32   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Linux; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000004; rev:1; metadata:affected_product Linux_32_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Linux arm64)"; flow:to_server,established; content:"a64   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Linux; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000005; rev:1; metadata:affected_product Linux_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Linux arm)"; flow:to_server,established; content:"a32   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Linux; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000006; rev:1; metadata:affected_product Linux_32_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[NVISO] VShell beacon payload response (Linux)"; flow:to_client,established; flowbits:isset,NVISO.VShell.Linux; content:"|e6 dc d5 df|"; fast_pattern; offset:0; depth:4; flowbits:unset,NVISO.VShell.Linux; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000007; rev:1; metadata:affected_product Linux_32_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity High, confidence High, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

Network detection rule for VShell's Darwin (i.e., MacOS) stager activity

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Darwin amd64)"; flow:to_server,established; content:"d64   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Darwin; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000008; rev:1; metadata:affected_product Darwin_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] Potential VShell beacon payload request (Darwin arm64)"; flow:to_server,established; content:"m64   "; fast_pattern; offset:0; depth:6; stream_size:client,<=,45; flowbits:set,NVISO.VShell.Darwin; noalert; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000009; rev:1; metadata:affected_product Darwin_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Low, confidence Low, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[NVISO] VShell beacon payload response (Darwin)"; flow:to_client,established; flowbits:isset,NVISO.VShell.Darwin; content:"|56 63 74 67|"; fast_pattern; offset:0; depth:4; flowbits:unset,NVISO.VShell.Darwin; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:shellcode-detect; sid:1000010; rev:1; metadata:affected_product Darwin_64_Bit, attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity High, confidence High, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer;)

Network detection rule for VShell's beaconing activity

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"[NVISO] VShell beacon client handshake"; flow:to_server,established; content:"|25 00 00 00|"; fast_pattern; offset:0; depth:4; byte_test:1,^,0x80,0x4; content:"|25 00 00 00|"; offset:0x29; depth:4; byte_test:1,^,0x80,0x2d; content:"|3c 00 00 00|"; offset:0x52; depth:4; byte_test:1,^,0x80,0x56; content:"|20 00 00 00|"; offset:0x92; depth:4; byte_test:1,^,0x80,0x96; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:command-and-control; sid:1000011; rev:1; metadata:attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Critical, confidence Medium, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"[NVISO] VShell beacon server handshake"; flow:to_client,established; content:"|3c 00 00 00|"; fast_pattern; offset:0; depth:4; byte_test:1,&,0x80,0x4; content:"|20 00 00 00|"; offset:0x40; depth:4; byte_test:1,&,0x80,0x44; reference:url,www.nviso.eu/blog/nviso-analyzes-vshell-post-exploitation-tool; classtype:command-and-control; sid:1000012; rev:1; metadata:attack_target Client_and_Server, created_at 2025_08_26, deployment Perimeter, malware_family VShell, signature_severity Critical, confidence Medium, tag VShell, tag RAT, updated_at 2025_08_26, mitre_tactic_id TA0011, mitre_tactic_name Command_And_Control, mitre_technique_id T1573, mitre_technique_name Encrypted_Channel;)

Indicators of compromise collected at the time of publication are available to the wider community through ThreatFox.

Von Maxime
November 5, 2025
Backdoor
Report
UNC5174
Unsere Nachrichten

Mehr News

Wir helfen Ihneninfo@nviso.eu

Österreich
Gumpendorfer Straße 19-21 1060 Wien+43 1358 0084
Deutschland
Holzgraben 5 60313 Frankfurt am Main Machtlfinger Str. 21 81379 München +49 69 9675 8554
Griechenland
Xatzigianni Mexi 5 11528 Athen+30 211 008 4062
Belgien
Rue Guimard 8 1000 Brüssel +32 2 318 58 31
NVISOSecurity
NVISO_Labs
NVISO Security
blog.nviso.eu
NVISO KundenportalImpressum / Datenschutzerklärung

Design with care © Stereo Agency - 2025. All rights reserved.