Suspected China-linked actor campaign expands across multiple victims
Campaign
Summary
Hide ▲
Show ▼
A TencShell campaign now matters because it used adapted open-source tooling and web-like C2 to target an Indian branch of a global manufacturing customer. The intrusion attempt occurred in April 2026 and was blocked before full compromise. The payload was an undocumented Rshell-derived implant customized with communication and delivery changes to better fit the operation. If successful, it could have enabled remote command execution, pivoting, and additional tooling deployment.
Related Happenings
TencShell Rshell-derived intrusion implant
Malware Activity
First: 15.05.2026 11:00
Last: 15.05.2026 11:00
Sources 1
How related:
The version observed is an undocumented variant of Rshell, customized and repackaged for this operation, with “communication and delivery changes that made it more suitable for the attacker’s campaign,” explained the researchers in a May 13 report in which they shared technical details about the campaign.
About this happening:
**TencShell** surfaced as a customized **Rshell-derived** implant used in an intrusion attempt, raising the risk of **remote control** and **pivoting** inside a manufacturing cust...
TencShell Rshell-derived intrusion implant
Malware ActivityHow related: The version observed is an undocumented variant of Rshell, customized and repackaged for this operation, with “communication and delivery changes that made it more suitable for the attacker’s campaign,” explained the researchers in a May 13 report in which they shared technical details about the campaign.
About this happening: **TencShell** surfaced as a customized **Rshell-derived** implant used in an intrusion attempt, raising the risk of **remote control** and **pivoting** inside a manufacturing cust...
Timeline
-
13.05.2026 03:00 2 articles · 14d ago
Cato CTRL publishes technical analysis of the TencShell implant
Technical Analysis UpdateResearchers at Cato Networks’ Cyber Threats Research Lab (CTRL) shared technical details on TencShell, an undocumented Go-based implant derived from the open-source Rshell C2 framework and customized for an intrusion attempt against the Indian branch of an unnamed global manufacturing customer. The observed intrusion chain used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font resource, memory injection, and web-like command-and-control communication; the researchers also said the evidence suggests a China-linked actor but is not sufficient on its own for attribution.
Show sources
- China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer — www.infosecurity-magazine.com — 15.05.2026 11:00
- China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer — www.infosecurity-magazine.com — 15.05.2026 11:00