CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Emergence of TencShell malware leveraging open-source Rshell framework in targeted campaign against global manufacturer

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

China-linked threat actors deployed a previously undocumented malware implant named TencShell against a global manufacturer’s Indian branch in April 2026. The attack chain involved a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like C2 communication to deliver a customized Go-based implant derived from the open-source Rshell C2 framework. TencShell mimics Tencent-like web service paths to blend into normal enterprise traffic. If successful, the implant would have provided comprehensive access, including remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling.

Timeline

  1. 15.05.2026 11:00 1 articles · 2h ago

    New TencShell malware implant deployed via open-source Rshell framework in targeted campaign

    A previously undocumented malware implant named TencShell was deployed against a global manufacturer’s Indian branch in April 2026. The attack chain utilized a first-stage dropper, Donut shellcode, and a masqueraded .woff web-font resource to deliver a customized Go-based implant derived from the open-source Rshell C2 framework. The implant mimics Tencent-like web service paths for C2 communication, enabling comprehensive access including remote command execution, in-memory payload execution, and system profiling if successfully deployed.

    Show sources
    Open in new tab

Information Snippets