A Go-based command-and-control (C2) framework known as Vshell is gaining significant traction among threat actors as a cost-effective and flexible alternative to commercial tools like Cobalt Strike. Originally marketed within Chinese-speaking offensive security communities, Vshell has evolved from a simple remote access tool (RAT) into a sophisticated platform capable of supporting complex post-compromise activities, raising concerns for enterprise defenders globally.
First appearing in 2021, Vshell was initially presented as a lightweight C2 platform integrated with the AntSword web shell framework. Its core functionality focused on administering compromised Windows and Linux hosts, with features designed to facilitate network pivoting and lateral movement. The tool’s third version openly targeted Cobalt Strike users with the tagline, “Is Cobalt Strike difficult to use? Try Vshell instead!” This marketing clearly indicated Vshell’s aim to attract actors who found expensive or complex adversary simulation tools prohibitive.
Censys analysts identified internet-facing Vshell deployments through systematic scanning. These scans revealed exposed web directories hosting Vshell panels actively managing hundreds of connected client agents. One observed panel displayed 286 simultaneous clients, each capable of acting as a relay for traffic tunneling and lateral movement across compromised networks. These findings position Vshell alongside other widely utilized intrusion frameworks in real-world threat operations.
The adoption of Vshell extends beyond opportunistic attackers, as evidenced by its appearance in multiple documented threat campaigns throughout 2025. Notable among these were Operation DRAGONCLONE, the SNOWLIGHT campaign attributed to threat group UNC5174, and a phishing operation in August 2025 where Vshell served as the primary post-compromise framework. This broad adoption across distinct threat groups underscores Vshell’s maturation into a trusted capability within the broader threat landscape.
By version 4, Vshell incorporated licensing controls, a redesigned interface, andnginx impersonation capabilities to better blend C2 traffic with legitimate web traffic. Development is suspected to have continued in a private capacity after 2024, suggesting ongoing investment in the tool’s longevity and evasion techniques. During this period, Censys observed over 850 active Vshell listeners, indicating widespread deployment across internet-facing infrastructure.
Vshell’s Multi-Protocol C2 Architecture and Implications for Defenders
Vshell distinguishes itself through a highly flexible listener system that provides operators with a wide array of communication channels to maintain control over compromised hosts. The “Listener Management” interface, labeled in Mandarin as 监听管理, allows operators to configure inbound connection handlers across multiple protocols from a central controller panel.
The framework supports a diverse range of protocols, including TCP, KCP/UDP, WebSocket, DNS, DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and even Object Storage System (OSS) connections via S3 buckets. While most listeners default to TCP port 8084, the ability to switch to DNS-based channels makes Vshell particularly challenging to block at the network perimeter. DNS-over-HTTPS and DNS-over-TLS channels are especially effective as they encapsulate C2 traffic within encrypted DNS queries, often bypassing standard network monitoring tools.
This architectural design directly mirrors Cobalt Strike’s approach, featuring a central teamserver that manages multiple implants and provides operators with comprehensive session control, data transfer, and tunneling features. Newer Vshell panels have implemented digest authentication, reducing the distinct fingerprintable artifacts that defenders historically relied upon for detection, thereby making identification progressively more difficult.
For defenders, monitoring all external-facing infrastructure, particularly web servers and firewalls, for signs of Vshell deployment is crucial. Network teams should pay close attention to DNS-over-HTTPS and DNS-over-TLS traffic for anomalies, as these are frequently abused for C2 communications. Given that Vshell is built on NPS, detection rules designed for NPS-based traffic may offer overlapping benefits and should be leveraged where applicable. Security teams are advised to conduct regular threat-hunting queries within their environments and establish alerts for any outbound communications that align with known Vshell listener patterns. The evolving nature of Vshell necessitates continuous vigilance and adaptive security strategies to counter its growing presence.