TencShell Rshell-derived intrusion implant
Malware Activity
Summary
Hide ▲
Show ▼
TencShell surfaced as a customized Rshell-derived implant used in an intrusion attempt, raising the risk of remote control and pivoting inside a manufacturing customer environment. The delivery chain relied on a first-stage dropper, Donut shellcode, a masqueraded .woff resource, and memory injection to stage the payload. Its web-like C2 and Tencent-themed paths were designed to blend the malware’s traffic into normal enterprise activity. If successful, the implant could have enabled in-memory execution, proxying, system profiling, and delivery of additional tools.
Related Happenings
Suspected China-linked actor campaign expands across multiple victims
Campaign
First: 15.05.2026 11:00
Last: 15.05.2026 11:00
Sources 1
How related:
The version observed is an undocumented variant of Rshell, customized and repackaged for this operation, with “communication and delivery changes that made it more suitable for the attacker’s campaign,” explained the researchers in a May 13 report in which they shared technical details about the campaign.
About this happening:
A **TencShell** campaign now matters because it used adapted open-source tooling and web-like **C2** to target an **Indian branch** of a **global manufacturing customer**. The int...
Suspected China-linked actor campaign expands across multiple victims
CampaignHow related: The version observed is an undocumented variant of Rshell, customized and repackaged for this operation, with “communication and delivery changes that made it more suitable for the attacker’s campaign,” explained the researchers in a May 13 report in which they shared technical details about the campaign.
About this happening: A **TencShell** campaign now matters because it used adapted open-source tooling and web-like **C2** to target an **Indian branch** of a **global manufacturing customer**. The int...
Timeline
-
15.05.2026 11:00 2 articles · 12d ago
TencShell Rshell-derived intrusion implant
Initial DisclosureIn **April 2026**, a staged delivery chain used a **first-stage dropper**, **Donut shellcode**, and a disguised **.woff** resource to attempt memory-based deployment of **TencShell**. The early phase focused on getting the implant into memory and establishing **web-like C2** traffic.
Show sources
- China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer — www.infosecurity-magazine.com — 15.05.2026 11:00
- China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer — www.infosecurity-magazine.com — 15.05.2026 11:00