Vshell is a remote administration tool written in Go that offers comprehensive post-compromise features such as network pivoting and proxying. Although it is presented by its authors as a benign project, publicly available materials have referenced offensive techniques (e.g., screenshots showing use of tools like Mimikatz), and the tool has been found in unauthorized environments where it’s used for remote server control.
Vshell’s availability has varied over time: some versions were released as open-source, while others were distributed in closed or partially closed formats. Internet scanning by Censys has found Vshell servers exposed alongside other common intrusion and adversary simulations tools, including Cobalt Strike. Some exposed installations revealed web directories showing hundreds of connected client agents — each capable of acting as a traffic relay for lateral movement and proxying.
In 2022, Vshell’s architecture was rebased on the intranet penetration proxy NPS, and many features overlap between the two ecosystems.
What Vshell Is
At its core, Vshell functions as a full-featured command-and-control (C2) platform for managing compromised Windows and Linux hosts, with a focus on:
- Post-compromise systems administration
- Network pivoting
- Proxying traffic through connected clients
Vshell is especially prevalent within Chinese-language offensive-security communities, used by researchers, red teams, and threat actors alike. Early releases identified it as a remote access tool (RAT), while later versions were marketed as an approachable alternative to commercial adversary simulation tools like Cobalt Strike. One version’s tagline literally translates to: “Is Cobalt Strike hard to use? Try Vshell instead!”
Like Cobalt Strike, Vshell uses a centralized server/controller model to manage implants (clients). Early versions only exposed a web API and relied on third-party interfaces such as 蚁剑 (AntSword) for control.
Development History
Based on reporting from threat researchers, Vshell has evolved through several major milestones:
| Version | Year | Key Changes |
|---|---|---|
| v1 | 2021 | Core component teamserver with no UI; controlled via AntSword |
| v2 | 2022 | Local web interface added |
| v3 | 2022 | Built on NPS protocol, separate frontend fork |
| v4 | 2023 | Licensing, UI redesign, nginx impersonation, added protocols |
| v4.6 | 2024 | Public releases end; suspected private development continues |
During 2025, Vshell was reported in multiple threat activity clusters, such as Operation DRAGONCLONE, the SNOWLIGHT campaign linked to UNC5174, and phishing campaigns documented by Trellix that used Vshell payloads.
Technical Characteristics
Censys has observed Vshell deployments exposed on the Internet, often in unprotected web directories. Many active Vshell servers use version 4, which has cross-platform support for both Windows and Linux clients (including x86_64 and ARM architectures). Interfaces are typically shown in Mandarin by default, with equipment such as listeners configured for different communication protocols.
Vshell supports multiple listener types, including:
- TCP
- KCP/UDP
- WebSocket
- DNS, DNS-over-HTTPS, DNS-over-TLS
- S3-style object storage for C2 channels
These varied listeners give operators flexible communications options, making detection more difficult for defenders.
Visibility & Detection
Using the Threat Hunting platform, defenders can track Vshell exposure using queries such as:
host.services.threats.name = "Vshell" OR web.threats.name = "Vshell"
Scanning typically finds a small number of older panels online, but at the time of reporting more than 850 listeners associated with Vshell were visible. ✪ Many older panels still show fingerprintable characteristics useful for historical analysis, while newer ones use stronger authentication and fewer detectable artifacts.
Key Takeaways
- Vshell is a mature post-exploitation framework. Its blend of multi-platform support, flexible communications, and operational features make it attractive to Mandarin-speaking adversaries.
- Defenders should treat Vshell as a potential threat tool. External-facing infrastructure like web servers and firewalls are common places where exposed Vshell instances appear.
- Detection may overlap with general node/network scanning. Because Vshell leverages existing network protocols and the NPS base, some detection rules may intersect with benign network traffic patterns.
- Regular scanning and threat hunting help identify Vshell infrastructure. Using visibility tools like Censys Threat Hunting and tailored queries can uncover exposed Vshell servers and associated behaviors.
