BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.troopers.de//tr26-cfp//speaker//GKRYPE
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-tr26-cfp-FZ7LBK@cfp.troopers.de
DTSTART;TZID=CET:20260625T100000
DTEND;TZID=CET:20260625T110000
DESCRIPTION:VShell is a backdoor written in Golang that is shared across mu
 ltiple threat actors. It is used widely by intrusion groups\, particularly
  China-nexus actors such as UNC5174. We carried out an in-depth investigat
 ion of VShell C2 servers and found that a broad range of information can b
 e obtained from them at scale. For example\, by sending a specific magic p
 acket to a VShell C2 server\, it is possible to retrieve the raw stageless
  binary in unobfuscated form. This stageless binary contains hard-coded co
 nfig data\, including the "vkey". We performed an internet-wide scan for p
 ublicly exposed VShell C2 servers\, collected stageless binaries\, analyse
 d their config data\, and explored clustering and attribution.\n\nIn this 
 presentation\, we first explain what kind of malware VShell is\, including
  its relationship with SNOWLIGHT\, and present the results of our detailed
  malware analysis together with representative cases of abuse. We then des
 cribe the structure of the VShell C2 server and show how it communicates w
 ith VShell. We also share the contents of the magic packet used to obtain 
 the stageless binary\, the results of our detailed analysis of the binary 
 itself\, the configuration data embedded in it\, and the findings from our
  analysis of the large volume of config data we collected. In addition\, w
 e present deeper analytical results based on information obtained from C2 
 servers that were operated with default settings. Finally\, we propose det
 ection logic for network and endpoint security products to help defend aga
 inst compromises involving VShell. This logic reflects the detailed intern
 al behaviour of VShell C2 infrastructure revealed by our research.\n\nThro
 ugh this talk\, attendees will gain a detailed understanding of VShell’s
  capabilities and the characteristics of its C2 servers. They will also le
 arn a research method for uncovering new information useful for attributio
 n. In addition\, these findings can be applied directly to defensive pract
 ice\, including the development of more effective detection logic.
DTSTAMP:20260510T025754Z
LOCATION:Track 3
SUMMARY:Unshelling VShell at Scale - Kazuya Nomura\, Rintaro Koike
URL:https://cfp.troopers.de/tr26-cfp/talk/FZ7LBK/
END:VEVENT
END:VCALENDAR