[ /report/9 // public // by @Unknown ]

VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)

Generated 2026-05-16 · 2 TTPs · 35 IOCs · 0 actors

report_id: #9

// 01Executive summary

VShell is an active backdoor tool used by Chinese-speaking threat actors for long-term espionage, with over 1,500 active servers identified globally. This tool grants attackers remote control over compromised networks, targeting critical sectors including government, healthcare, military, and research. Organizations must immediately deploy network and endpoint detection strategies to identify VShell activity, leveraging insights into its stager and beaconing patterns. Strengthening vulnerability management and enhancing threat intelligence-informed detection capabilities are urgent priorities to mitigate this persistent threat.

// 02Key metrics

// ttps
2
ATT&CK techniques
// iocs
35
indicators
// actors
0
threat groups
// kwords
10
keywords

// 03MITRE ATT&CK

// 04Threat actors

// no actors matched

// 05Indicators of compromise

// ips0

none

// domains9

  • vshell-v493.html
  • stats.bastatic.com
  • cve-2024-36401.html
  • earth-lamia.html
  • win.vshell
  • nviso.vshell.windows
  • www.nviso.eu
  • nviso.vshell.linux
  • nviso.vshell.darwin

// urls19

  • https://web.archive.org/web/20221105062747/https://github.com/veo/vshell
  • https://www.mhtsec.com/700/
  • https://mrxn.net/hacktools/vshell-v493.html
  • https://www.alibabacloud.com/en/product/object-storage-service
  • https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
  • http://192.168.205.128:8084
  • https://www.team-cymru.com/threat-intelligence-platform
  • https://censys.com/solutions/threat-hunting
  • https://blog.eclecticiq.com/china-nexus-nation-state-actors-exploit-sap-netweaver-cve-2025-31324-to-target-critical-
  • https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-009.pdf
  • https://www.team-cymru.com/netflow
  • https://archive.org/details/DTIC_ADA586960
  • https://blog.nviso.eu/series/cobalt-strike-decrypting-traffic/
  • https://www.sysdig.com/blog/unc5174-chinese-threat-actor-vshell
  • https://geoserver.org/vulnerability/2024/09/12/cve-2024-36401.html
  • https://www.seqrite.com/blog/operation-dragonclone-chinese-telecom-veletrix-vshell-malware/
  • https://www.cobaltstrike.com
  • https://threatfox.abuse.ch/browse/malware/win.vshell/
  • https://suricata.io

// sha2561

  • af44db26be11baa7878941cc1d95ccf043170236d6610ad24828affb44c873a6

// md51

  • ca355028c4317eeae9d3fe6f98b0ef7b

// emails2

  • support@cymru.com
  • csirt@nviso.eu

// cves4

  • CVE-2025-41244
  • CVE-2025-3132418
  • CVE-2025-31324
  • CVE-2024-36401

// 06Geographic coverage

// 07YARA rule

// Failed to generate YARA rule

// 08Keywords

{'keyword': 'vshell', 'score': 86.765} {'keyword': 'figure', 'score': 38.5944} {'keyword': 'nviso', 'score': 31.5765} {'keyword': 'network', 'score': 26.0922} {'keyword': 'infrastructure', 'score': 22.8562} {'keyword': 'com', 'score': 20.4181} {'keyword': 'eu', 'score': 19.2417} {'keyword': 'version', 'score': 18.3823} {'keyword': 'security', 'score': 17.7459} {'keyword': 'organizations', 'score': 17.738}

// 09Attack chain

// 10Technical mitigations

// 12Export

// format: // sign in to export ./sign_in