Piece of news of the day

ADVANCED SECURITY EUROPA

EOOD

Uncovering TencShell: A Closer Look at the China-Linked Malware Implant - Exclusive Report by Cato Networks' Cyber Threats Research Lab

15 May 2026

Researchers at Cato Networks' Cyber Threats Research Lab (CTRL) uncovered an undocumented malware implant suspected to be linked to a China-based threat actor.
This discovery came after responding to an intrusion attempt at a global manufacturing customer's Indian branch in April 2026.
The attack chain involved a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like command-and-control communication.
The goal was to infect the target with a customized Go-based implant called TencShell, a variant of the Rshell framework.
This implant allows for remote command execution, file and process management, terminal access, in-memory payload execution, multiple C2 transports, and more.
The researchers shared technical details about the campaign, highlighting how the implant was repackaged with communication and delivery changes to fit the attacker's needs.
TencShell combines shell-style remote-control capabilities with C2 communication resembling Tencent web service paths.