Vshell - A Chinese-Language Alternative to Cobalt Strike

Vshell - A Chinese-Language Alternative to Cobalt Strike

Vshell is a Go-based remote administration tool that provides post-compromise capabilities for network pivoting and proxying. Publicly available project materials have referenced offensive tradecraft (e.g., screenshots involving Mimikatz), and the tool has been observed in unauthorized contexts as a means of remote server management. Internet-facing instances identified via Censys have appeared alongside other common intrusion and red-team tooling such as the commercial adversary simulation tool Cobalt Strike. Additionally, exposed web directories have revealed Vshell deployments configured with hundreds of client agents, each of which could be leveraged as a traffic relay for lateral movement and operational proxying. Starting in 2022, Vshell rebased itself onto the intranet penetration proxy NPS, and overlaps between the two toolkits should be expected.

Fundamentally, Vshell is a full-featured command-and-control (C2) platform for administering Windows and Linux hosts, with an emphasis on post-compromise host management and network pivoting. Vshell is commonly seen within Chinese-speaking offensive-security ecosystems, with users ranging from researchers to red teams as well as threat actors. The tagline for version 3 reads: “CobaltStrike难用？来试试vshell吧” (translation: “Is Cobalt Strike difficult to use? Try Vshell instead!”). Throughout Vshell, there is clear inspiration from CobaltStrike, following the same logical C2 architecture: a centralized server (“teamserver”/controller) that manages implants (clients) and provides an operator interface. During 2025, Vshell was reportedly used within several incidents, such as Operation DRAGONCLONE, SNOWLIGHT campaign from UNC5174, and in August, Trellix reported on a phishing campaign leveraging Vshell.

Internet-facing Vshell deployments observed by Censys periodically appear in open web directories. In exposed instances, operators are commonly seen using copies of Vshell v4, which supports both Windows and Linux clients (including x86_64 and ARM variants). The interface is natively shown in Mandarin. Vshell uses “listeners,” which are the service components within the controller that accept inbound connections and manage communications with deployed clients; these are configured in through 监听管理 (“Listener Management”). Several of the listener services within Vshell default to port TCP/8084. Once enabled, the listener remains available to receive new client sessions and to broker tasking, data transfer, and tunneling features through the established channel. The range of listeners illustrates Vshell’s emphasis on flexible and varied communications. For defenders, this means Vshell has multiple points for detection, instead of just a single port or protocol fingerprint. Newer panels have moved to digest authentication, which reduces the number of fingerprintable detection opportunities. Despite this, at the time of this report, we see over 850 of the listeners for Vshell in our scanning.

Vshell is a mature post-exploitation capability. The combination of capabilities, availability, and cross-platform functionality make it a popular option for Mandarin-speaking adversaries. Defenders should monitor for Vshell as a potential tool threat actors may leverage for establishing a foothold on their network — especially around external-facing infrastructure such as web servers and firewalls. As Vshell is built on NPM, detection rules may overlap in some instances.

To read the complete article see: Read full article