NEC Violation and the Exotic-Matter Requirement Traversable wormholes in General Relativity require violations of the classical energy conditions, most notably the Null Energy Condition (NEC) [20]. The NEC states that for any null vector k µ , Tµνk µ k ν ≥ 0. (1) In Morris–Thorne wormhole geometries [1], sustaining the throat requires Tµνk µ k ν < 0, (2) indicating that some region of spacetime must contain negative energy density as measured by certain observers. This requirement is not optional; it follows directly from the curvature constraints needed to maintain a non-collapsing throat. A commonly used estimate for the total negative mass–energy needed to support a spherically symmetric, static wormhole throat of radius R is [2] Mneg ≈ − c 2R 2G . (3) For a throat radius of R = 10 m, this yields approximately Mneg ≈ −6.7 × 1027 kg, (4) a value comparable to several Jupiter masses (but with negative sign). The associated energy magnitude is |Eneg| = |Mneg|c 2 ≈ 6.0 × 1044 J. (5) If this energy is assumed to be distributed in a thin spherical shell of thickness ∆R ∼ 1 m, the shell volume is Vshell ≈ 4πR2∆R ≈ 1.3 × 103 m3 . (6) The corresponding required average negative energy density is ρrequired ≈ 4.8 × 1041 J/m3 . This value is not sensitive to modest changes in geometry or assumptions; even optimized thin- shell constructions reduce the requirement by only a few orders of magnitude [3]. The scale of negative energy demanded by General Relativity for a human-scale static Einstein–Rosen Bridge therefore remains extraordinarily high. This target energy density forms the baseline against which all quantum vacuum engineering proposals must be evaluated.

Improved indicators: DeimosC2 ( 1), Evilginx ( 1), RansomHub ( 1), Meterpreter ( 2), XWorm ( 1), VShell ( 3) and AsyncRAT ( 7). vuldb.com/actor #apt #cti #ioc

Added indicators for: DCRat ( 1), Vidar ( 8), XWorm ( 9), Remcos ( 12), Quasar RAT ( 3), GCleaner ( 4) and VShell ( 4). vuldb.com/actor #apt #cti #ioc

FUD 'ws' ELF binary as #VShell, seen from Hong Kong @abuse_ch bazaar.abuse.ch/sample/0635f… FUD C2 IP: 8.141.4(.)220:8084

aaf4ccceca88bb874b8db6c30162c6ce13a3d5bf84fb5a2bcf61270445eef3e9 LNK > VBS > DLL side-loading > #SNOWLIGHT (#VShell Stager) Fisher-Yates shuffling of shellcode with constant seed for rand() C2: dns1.alidoh[.]com h/t @malwrhunterteam

ELF file with #vshell detection @abuse_ch bazaar.abuse.ch/sample/f94ed… FUD IP: 103.149.183(.)183

Talos reports that UAT-8302, a China-nexus APT, has deployed NetDraft, CloudSorcerer, VSHELL, SNOWRUST, SNOWLIGHT, SNAPPYBEE/DeedRAT, and ZingDoor across global government targets, enabling long-term access and extensive reconnaissance. blog.talosintelligence.com/u…

Cisco Talos exposes UAT-8302, a sophisticated Chinese 🇨🇳 APT group targeting government entities across South America and southeastern Europe with a diverse arsenal of custom malware families since late 2024. Key findings: - Deploys NetDraft (.NET variant of FinalDraft/SquidDoor), CloudSorcerer v3, VSHELL, and new Rust-based SNOWRUST stager - Uses MS Graph API and OneDrive for C2 communications, GitHub/GameSpot for C2 configuration retrieval - Extensive reconnaissance via custom PowerShell scripts (whatpc.ps1), AD queries, and Chinese-language tools like "gogo" scanner - Post-compromise: credential extraction via MobaXtermDecryptor, network proliferation using Impacket/WMI, proxy setup with Stowaway - Tool overlap connects UAT-8302 to multiple China-nexus 🇨🇳 clusters including Jewelbug, Earth Estries, UNC5174, and LongNosedGoblin DFIR artifacts include scheduled tasks with names like "ReconLiteDebug", DLL sideloading via mspdb60[.]dll and wininet[.]dll, and process injection into explorer.exe/spoolsv.exe. Hunt for unsigned DLLs in %ProgramData%, PowerShell execution with "-ExecutionPolicy Bypass", and outbound HTTPS to Graph API with unusual patterns. Full IOC list and detection rules available. #DFIR_Radar

FUD 'backdoor zip' talking to win.shoplline(.)com FUD domain @abuse_ch bazaar.abuse.ch/sample/7c5fd… Resolving to 172.245.126(.)122, that has some history... including a 5 months old comment on VT saying Vshell. Inside is this archive that was seen with name "a/MicrosoftSoftware/MobilePhone/serve/virus. zip": 7bb76436834111c516a227f10360476af5632130cac643852267102c6344d9fb

Another #vshell sample @abuse_ch bazaar.abuse.ch/sample/7512f… C2: 168.100.8(.)179:8084

🔧 Top 25 Tools Observed - Team Cymru - S2 Ranked by unique source IPs over 14 days: 1. Nessus: 2,844 2. Asset Recon Lighthouse: 2,595 3. GoPhish: 2,044 4. Metasploit: 1,247 5. Interactsh: 863 6. CobaltStrike: 673 7. Burp Collaborator: 667 8. Sliver: 416 9. QuasarRAT: 204 10. RemcosRAT: 189 11. reNgine: 185 12. asyncrat: 170 13. SuperShell: 167 14. Mythic: 150 15. Vidar: 142 16. PlugX: 142 17. ValleyRAT: 136 18. Hashtopolis: 134 19. CyberStrikeAI: 117 20. Havoc: 117 21. Vshell: 102 22. AdaptixC2: 101 23. Stealc: 86 24. Ligolo-ng: 78 25. XWorm: 76 #threatintel #c2 #malware

UNC5174/Earth Lamia have moved their domains identified in a Nov 2025 article by IIJ to a new IP, 84.32.22[.]130. Three of the four resolving domains have been publicly reported, while one (l1.topayapp[.]org) is currently being used to deliver SNOWLIGHT , which then drops VShell. A Cloudflare certificate on port 443 includes a hostname for a related domain, paycloudhosting[.]net #UNC5174 #SNOWLIGHT

FUD 'edeb387f.exe' seen from China @abuse_ch bazaar.abuse.ch/sample/c6c28… Next stage is this FUD URL: hxxps://kaquanhao.oss-cn-hongkong.aliyuncs(.)com/ttccpp.png Then traffic goes to this FUD IP on high port: 45.78.53(.)77 Could be a VShell?

த்தா திருட்டு சங்கிநாயே மௌலிவாக்கத்துல HP Vshell IOC மூனும் மூடிட்டாங்க டா மயிரே Vshell இப்போதா லோடு வந்து ஓபன் பன்னிருக்கான் புல் கூட்டம் HP IOC not opened Gasbunk closed மாட்டுசானிய தின்னுட்டு கே.பு மாதிரி பேசி அடி வங்கிட்டு போய்றாத ஓடிடு😡😡😡😡 @JustNow_Post உணக்கும் தான்

🚩 Vshell Gains Ground as an Alternative to Cobalt Strike gbhackers.com/vshell-gains-p… Vshell, a Go-based remote administration tool, is gaining traction as an alternative to Cobalt Strike. Originally positioned for security testing, it’s now showing up in real-world intrusions. With multi-protocol listeners (TCP, DNS, WebSocket, DoH) and strong tunneling features, it supports lateral movement and stealthy C2 traffic. Recent campaigns tied it to espionage and phishing activity. Closer inspection of outbound traffic and exposed infrastructure is no longer optional. #ThreatIntelligence #CyberSecurity #IncidentResponse

Go言語製の遠隔管理ツールVshellがCobalt Strike互換としてサイバー犯罪者の間で人気。Censys社報告。公式は防護目的だとか称しているが、スクショにMimikatzがある等お察し。一部バージョンはGitHubで公開されているが、他は中国語の非公開セキュリティコミュニティで流通。 gbhackers.com/vshell-gains-p…

vshell😂 censys.com/blog/vshell/

Censys reported that Vshell is a Chinese-language alternative to Cobalt Strike, highlighted on its blog with a focus on Vshell as an option for red-teaming and post-exploitation tooling. censys.com/blog/vshell/

@silascutler does an excellent job in analyzing VShell, a Chinese alternative to Cobalt Strike : censys.com/blog/vshell/?utm_…