The Vshell gains momentum among cybercriminals in lieu of Cobalt Strike

An open-source C2 system initially promoted in Chinese cyber defense circles is gradually gaining traction among attackers who favor versatile and budget-friendly options over pricey proprietary solutions.

Referred to as VShell, this software surpasses its initial status as an elementary Remote Access Tool (RAT), currently posing significant security threats globally among corporate defense teams.

In 2021, VShell debuted as an initial lightweight C2 solution utilizing the AntSword web shell architecture.

Its fundamental purpose is to manage infected Windows and Linux systems effectively, offering robust assistance in subsequent actions like network reconnaissance and horizontal penetration attempts.

Version three's new slogan was designed explicitly for those familiar with Cobalt Strike; it read: "Does Cobalt Strike have an easy-to-use interface? Give VShell a chance! — an explicit plea directed at cybercriminals whose adversaries' simulations were deemed prohibitively costly or overly intricate for practical use.

Analysts at Censys discovered internet-accessible Vshell installations via ongoing scans; they found publicly accessible web directories revealing configurations for numerous interconnected clients on these Vshells.

google

A single recovery unit revealed 286 connected client panels operating concurrently; these units could serve as relays facilitating network tunneling and lateral navigation through breached systems.

The VShell panel is equipped with 286 connected clients as per data obtained through Censys.

The VShell panel is equipped with 286 connected clients as reported by Censys.

This research positions Vshell as an integral part of numerous exploited intranet tools, highlighting its increasing prominence in practical cyber-attacks scenarios.

Tools do not confine their effectiveness solely to chance-based intruders. In 2025, Vshell was detected in various documented cyber-attacks such as Operation Dragonclone orchestrated by UNC5174, Snowlight associated with this group, and an Augmented 2025 phishing incident involving Vshell serving as the main attack vector for compromising systems.

The spread of this technique among various adversary factions underscores that Vshell's utility surpasses its initial focus; now recognized as an indispensable feature in today’s extensive cyber security environment.

In year four of its development cycle, Vshell incorporated license management features, revamped user interfaces, and used Nginx as a proxy server to mimic normal internet activity patterns.

The advancement of this system persisted covertly beyond 2024, implying that those managing it deliberately enhance both its durability and stealth features.

As of now, Censys identified more than eight hundred live Vshell users during scans; these figures highlight the extensive reach of the system in various online infrastructures.

Vshell’s Multi-Protocol C2 Architecture

VShell distinguishes itself from basic Remote Access Tools by offering an exceptionally versatile listening mechanism, allowing users extensive access to various methods for managing infected systems effectively.

Using "监听管理" in Chinese for "Listener Management," users manage incoming connections via a unified control center on various protocol interfaces simultaneously.

Vshell Listener Management Interface (Source - Censys)

Vshell Listener Management Interface (Source – Censys)

The VShell platform accommodates connections via TCP, KCP/UDP protocols, WebSockets, Domain Name System queries, both over HTTPS (DNS-over-HTTPS) and TLS (DNS-over-TLS).