VShell
VShell is a Go-based remote access trojan/backdoor and offensive security implant used for in-memory post-exploitation and persistent remote control of compromised systems. The content consistently describes it as providing RAT functionality including arbitrary command execution, reverse shell access, file management and file operations, process management, screenshots, proxying/NPS-based proxying, and TCP/UDP port forwarding or tunneling. It communicates with command-and-control infrastructure over HTTP or custom encrypted/obfuscated channels, including XOR-based mechanisms, and is frequently delivered through lightweight stagers or loaders that decrypt the final implant in memory.
Observed delivery and execution chains in the content include: Rust-based loaders such as TetraLoader used after exploitation of Trimble Cityworks CVE-2025-0994 to inject a VShell stager into benign processes like notepad.exe; SNOWLIGHT/SNOWRUST stagers that download and execute VShell; Linux ELF loaders fetched by Bash scripts that receive XOR-encrypted payloads from C2, decrypt them with key 0x99, and execute them from memory via memfd_create or fexecve while masquerading as kernel worker processes such as [kworker/0:2]; and VELETRIX shellcode/loaders that retrieve a second-stage payload over TCP and are publicly linked in the content to VShell. One Linux infection chain used a weaponized RAR filename and unsafe shell expansion/eval behavior to trigger Bash execution, Base64 decoding, architecture-aware payload delivery, and fileless in-memory execution.
The malware is associated primarily with Chinese APT and China-nexus activity in the provided reporting. Groups and clusters mentioned using or deploying VShell include UAT-6382, UAT-8302, UNC5174, UNC6586, Earth Lamia, Jackpot Panda, SHADOW-EARTH-053-related reporting, and other Chinese-speaking or China-aligned operators. The content also notes separate sightings in exploitation of BeyondTrust Remote Support CVE-2026-1731, React2Shell/CVE-2025-55182 campaigns, and reporting tied to Greek warnings referencing suspicious infrastructure and VShell. One report also describes VShell infrastructure observed in a cryptocurrency-focused intrusion set assessed with moderate confidence as DPRK-linked, but the malware itself is not uniquely tied to DPRK in the content.
Targeting in the content spans Windows and Linux environments, with repeated emphasis on Linux servers and government, defense, technology, transportation, telecommunications, healthcare, energy, financial services, legal services, higher education, and critical infrastructure organizations. Reported regions include South Asia, Southeast Asia, East Asia, South America, southeastern Europe, the United States, and at least one victim in Poland.
High-confidence indicators and technical details directly mentioned in the content include VShell stagers communicating with 192.210.239.172:2219 in Cityworks exploitation; Linux VShell delivery from 107.173.89.153:60051 with configuration values including vkey/salt qwe123qwe111; XOR key 0x99 used in multiple Linux loader/stager chains; process masquerading as [kworker/0:2]; and a reported final VShell backdoor SHA-256 of 73000ab2f68ecf2764af133d1b7b9f0312d5885a75bf4b7e51cd7b906b36e2d4 in one Trellix-documented Linux campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
7 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks... Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server. ... the vulnerability is being exploited to deliver custom Rust-based loaders capable of loading VShell and Cobalt Strike into memory. | IoCs shared by Trimble suggest that the vulnerability is being exploited to deliver custom Rust-based loaders capable of loading VShell and Cobalt Strike into memory.
Talos has found intrusions in enterprise networks of local governing bodies in the United States (U.S.), beginning January 2025 when initial exploitation first took place. UAT-6382 successfully exploited CVE-2025-0944, conducted reconnaissance and rapidly deployed a variety of web shells and custom-made malware to maintain long-term access.
The vulnerability, tracked as CVE-2026-1731, is an operating system command injection flaw that also impacts some older versions of BeyondTrust Privileged Remote Access. The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction. | A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity, with hackers deploying SparkRAT and vShell backdoors and using remote management tools to conduct reconnaissance...
The attackers downloaded the Bash script from hxxp://107.173.89[.]153:60051/slt ... These functionally identical executables serve as loaders for the VShell backdoor. | The threat actors leveraged the CVE‑2025‑55182 (React2Shell) vulnerability... React2Shell is a vulnerability in the Flight protocol, which facilitates client-server communication for React Server Components. The vulnerability stems from insecure deserialization... Under certain conditions, this can enable an attacker to execute arbitrary code on the server.
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Forensic analysis identified a vulnerable Jenkins server (CVE-2024–23897) exposed on the internet as the source of the compromise. The latter served as the initial access for the threat actor...
UNC5174 exploited vulnerable NetWeaver systems to deploy the Snowlight downloader, the VShell remote access trojan, and the SSH backdoor Goreverse.
Groups observed using it
12 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Talos has so far found two types of payloads deployed by TetraLoader on the infected endpoints: ... VShell stager ... The payload received by the VShell stager is in fact the actual VShell implant. VShell is a GoLang-based implant that talks to its C2 and provides a wide variety of remote access trojan-based functionalities.
The group deploys NetDraft, a .NET-based backdoor linked to the FinDraft and SquidDoor family, alongside an updated version of the CloudSorcerer backdoor and the VSHELL implant.
SNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
SNOWLIGHT, a VShell stager... The attack chains culminate in the deployment of NetDraft, CloudSorcerer (version 3.0), and VShell.
VELETRIX carries a VShell shellcode which is an Offensive Security Tool, like Meterpreter, Cobalt Strike among others, which means that, when executed, it will communicate with the Command and Control server.
China-nexus groups (i.e., Earth Lamia, Jackpot Panda, UNC5174) deploying Cobalt Strike beacons, Sliver, and Vshell backdoors
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
A critical vulnerability in BeyondTrust Remote Support is facing an increase in threat activity ... Multiple BeyondTrust Remote Support users have been confirmed targets ... The flaw allows an attacker to execute arbitrary commands on a server without the need for credentials or any user interaction.
Execution
5 techniques
Execution
UAT-8302 has also been observed using a Rust-based variant of SNOWLIGHT called SNOWRUST to download the VShell payload from a remote server and execute it.
Stage 1: Script triggers execution through Bash script interaction (e.g., for f in * ) leads to auto-execution of the embedded Base64 downloader. The filename evaluates to a Base64-decoded command piped to bash.
VELETRIX’s main function is to start the dynamic API loading routine with LoadLibraryA and GetProcAddress... The first action to be performed is to collect the kernel32.dll DLL by accessing the memory structures through the PEB.
Persistence
1 technique
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
The payload isn’t hidden inside the file content or a macro, it's encoded directly in the filename itself... The XOR key used is 0x99, a simple but effective method for evading static inspection.
The decrypted payload (VShell) is executed directly from memory using fexecve()... It is renamed in memory to look like a legitimate Linux kernel thread: [kworker/0:2].
The payload is decoded/decrypted and injected into a benign process by the loader component... TetraLoader is a simple Rust-based loader. It will decode an embedded payload and inject it into a benign process such as notepad.exe
The loader decrypts this payload using a XOR operation with the key 0x99 ... kxnzl4mtez.js decrypted the 1d5j6rm2mg2d file using AES-256-CBC ... configuration data is decrypted using the AES-128-CBC algorithm
Credential Access
1 technique
Credential Access
CVE-2025-0994 is a high-severity deserialization vulnerability in Trimble Cityworks... Successfully exploiting CVE-2025-0994 can allow authenticated attackers to conduct remote code execution (RCE) against a target’s Microsoft Internet Information Services (IIS) web server.
Command and Control
5 techniques
Command and Control
One of the beacons Talos discovered reaches out to the command-and-control (C2) domain 'cdn[.]lgaircon[.]xyz'... Another beacon reaches out to C2 'www[.]roomako[.]com'... The VShell stager... talks to a hardcoded C2 server
The binary sets up an HTTP GET request to the Command & Control (C2) server.
The loader connects to the server 107.173.89[.]153:60051 via a TCP socket.
IOCs tracked for this family
67 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
79 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Go-based Linux backdoor that provides reverse shell access, remote file operations, process management, port forwarding/tunneling, stealthy in-memory execution via fexecve(), process masquerading as kernel threads, encrypted/custom HTTP-based C2 communication, and multi-architecture support.
Verticals Targeted: Government, Defense, Technology, Transportation, Critical Infrastructure Regions Targeted: South Asia, Southeast Asia, East Asia Related Families: ShadowPad, GODZILLA, NOODLERAT, IOX, GOST, Wstunnel, RingQ, VShell
Linux malware delivered via weaponized archive filenames and unsafe shell behavior that triggers Bash execution, Base64 decoding, architecture-aware payload delivery, and in-memory execution while masquerading as legitimate kernel worker processes for stealth.
Implant/backdoor used by UAT-8302 as part of its post-compromise toolkit for maintaining access in victim environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.