Vshell: A Chinese-Language Alternative to Cobalt Strike
Summary:
Vshell is a mature, Go-based command-and-control (C2) framework that has been actively developed since 2021 within Chinese-speaking offensive security ecosystems. Originally released as an open-source RAT, it has evolved through five major versions into a full-featured post-exploitation platform explicitly marketed as an easier alternative to Cobalt Strike.
The tool supports Windows and Linux clients across multiple architectures (x86_64 and ARM) and mirrors Cobalt Strike's architecture with a centralized teamserver managing deployed implants through an operator interface natively presented in Mandarin.
Starting with v3 in 2022, Vshell rebased onto the intranet penetration proxy NPS, adding robust network tunneling capabilities. As of v4.6 in 2024, public releases ceased, suggesting the project has moved to private development.
Censys has observed over 850 active Vshell listeners in its scanning, and the tool was observed in multiple confirmed intrusion campaigns throughout 2025, including Operation DRAGONCLONE, the UNC5174-linked SNOWLIGHT campaign, and a phishing campaign documented by Trellix.
Security Officer Comments:
The impact of Vshell's proliferation is significant. It lowers the barrier of entry for Mandarin-speaking threat actors who may have found Cobalt Strike difficult to obtain, configure, or operate, providing a functionally comparable post-exploitation capability at little to no cost.
In exposed deployments, Censys observed Vshell panels with as many as 286 attached client agents, each capable of acting as a traffic relay for lateral movement and operational proxying, demonstrating real-world deployment at scale.
Its cross-platform support means it can be used to maintain persistence across heterogeneous enterprise environments, and its ties to known nation-state-adjacent activity (UNC5174 is assessed as a China-nexus threat actor) elevates the concern beyond opportunistic criminal use.
Organizations in sectors targeted by Chinese state-sponsored or state-aligned actors, including defense, telecommunications, government, and critical infrastructure, face the most immediate risk.
Suggested Corrections:
Defenders should prioritize detection of Vshell's default network indicators, particularly traffic on TCP/8084 and anomalous DNS activity consistent with DNS-tunneling C2 (DNS-over-HTTPS and DNS-over-TLS on port 53 from unexpected hosts).
Because Vshell is built on NPS, detection rules already written for NPS infrastructure may provide overlapping coverage and should be reviewed and deployed where applicable.
Endpoint detection should focus on behavioral indicators, specifically Go-compiled binaries establishing persistent outbound connections, unexpected parent-child process relationships, and credential access tooling such as Mimikatz appearing alongside unfamiliar remote management binaries.
Network defenders should enforce strict egress filtering and ensure that internal systems cannot directly reach internet-facing C2 infrastructure, which limits Vshell's pivoting capability even after an initial compromise.
Organizations should also monitor for exposure of Vshell panels and listeners on their own infrastructure using internet-scanning platforms, using the query host[.]services[.]threats[.]name = "Vshell".
Given Vshell's observed use in phishing campaigns, user awareness training and email filtering controls remain a foundational layer of defense against initial delivery.
Finally, organizations should ensure that threat intelligence feeds include Vshell-related IOCs from the documented campaigns (Operation DRAGONCLONE, SNOWLIGHT/UNC5174, and the August 2025 Trellix-reported campaign) and apply them to SIEM and EDR detection rules.
Link(s):
https://censys.com/blog/vshell/
Vshell is a mature, Go-based command-and-control (C2) framework that has been actively developed since 2021 within Chinese-speaking offensive security ecosystems. Originally released as an open-source RAT, it has evolved through five major versions into a full-featured post-exploitation platform explicitly marketed as an easier alternative to Cobalt Strike.
The tool supports Windows and Linux clients across multiple architectures (x86_64 and ARM) and mirrors Cobalt Strike's architecture with a centralized teamserver managing deployed implants through an operator interface natively presented in Mandarin.
Starting with v3 in 2022, Vshell rebased onto the intranet penetration proxy NPS, adding robust network tunneling capabilities. As of v4.6 in 2024, public releases ceased, suggesting the project has moved to private development.
Censys has observed over 850 active Vshell listeners in its scanning, and the tool was observed in multiple confirmed intrusion campaigns throughout 2025, including Operation DRAGONCLONE, the UNC5174-linked SNOWLIGHT campaign, and a phishing campaign documented by Trellix.
Security Officer Comments:
The impact of Vshell's proliferation is significant. It lowers the barrier of entry for Mandarin-speaking threat actors who may have found Cobalt Strike difficult to obtain, configure, or operate, providing a functionally comparable post-exploitation capability at little to no cost.
In exposed deployments, Censys observed Vshell panels with as many as 286 attached client agents, each capable of acting as a traffic relay for lateral movement and operational proxying, demonstrating real-world deployment at scale.
Its cross-platform support means it can be used to maintain persistence across heterogeneous enterprise environments, and its ties to known nation-state-adjacent activity (UNC5174 is assessed as a China-nexus threat actor) elevates the concern beyond opportunistic criminal use.
Organizations in sectors targeted by Chinese state-sponsored or state-aligned actors, including defense, telecommunications, government, and critical infrastructure, face the most immediate risk.
Suggested Corrections:
Defenders should prioritize detection of Vshell's default network indicators, particularly traffic on TCP/8084 and anomalous DNS activity consistent with DNS-tunneling C2 (DNS-over-HTTPS and DNS-over-TLS on port 53 from unexpected hosts).
Because Vshell is built on NPS, detection rules already written for NPS infrastructure may provide overlapping coverage and should be reviewed and deployed where applicable.
Endpoint detection should focus on behavioral indicators, specifically Go-compiled binaries establishing persistent outbound connections, unexpected parent-child process relationships, and credential access tooling such as Mimikatz appearing alongside unfamiliar remote management binaries.
Network defenders should enforce strict egress filtering and ensure that internal systems cannot directly reach internet-facing C2 infrastructure, which limits Vshell's pivoting capability even after an initial compromise.
Organizations should also monitor for exposure of Vshell panels and listeners on their own infrastructure using internet-scanning platforms, using the query host[.]services[.]threats[.]name = "Vshell".
Given Vshell's observed use in phishing campaigns, user awareness training and email filtering controls remain a foundational layer of defense against initial delivery.
Finally, organizations should ensure that threat intelligence feeds include Vshell-related IOCs from the documented campaigns (Operation DRAGONCLONE, SNOWLIGHT/UNC5174, and the August 2025 Trellix-reported campaign) and apply them to SIEM and EDR detection rules.
Link(s):
https://censys.com/blog/vshell/