A previously undocumented malware implant dubbed 'TencShell' was spotted in an attack on an unnamed global manufacturing company, according to Cato CTRL’s new threat analysis. The activity was traced to a third-party user connection into the customer’s India-based environment.
Researchers described TencShell as a customized, Go-based command-and-control (C&C) implant based on the open-source Rshell framework. The malware appeared designed for in-memory execution and long-term remote operations, including command execution, proxying, system reconnaissance, payload staging, and lateral movement.
The attack chain began with a lightweight first-stage dropper that initiated follow-on payload delivery rather than deploying the full implant. The attack involved Donut shellcode, an open-source framework capable of converting Windows executables and .NET assemblies into position-independent shellcode for in-memory execution. In this case, Donut acted as the execution bridge between the staged payload and the TencShell implant.
The attackers also used a masqueraded .woff web-font file to conceal malicious payload delivery and memory injection techniques and web-like C&C communications intended to blend into normal network traffic. Cato researchers said they have observed infrastructure patterns pointing to suspected China-linked activity. However, there is not enough evidence for definitive attribution, researchers noted.
“TencShell” was named for its shell-style remote control capabilities and network communications designed to imitate Tencent-related web services. The modified malware implemented customized delivery and communication mechanisms, while retaining some of core Rshell functions, such as remote terminal access, file and process management, multiple C&C transport methods, and in-memory payload execution.
Cato CTRL said the intrusion became apparent only after correlating multiple indicators, including suspicious external infrastructure, host-level artifacts, payload staging behavior, and C&C-like traffic patterns. The intrusion attempt was blocked before the attackers could establish persistent remote control inside the environment.
If successfully deployed, TencShell could have allowed attackers to execute commands, inspect files, steal credentials or session material, stage additional tools, route traffic through compromised endpoints, and pivot deeper into internal systems not directly exposed to the internet. Researchers warned that abuse of third-party connectivity can effectively transform a trusted business relationship into an attacker-controlled access channel.
While Cato researchers were not able to determine the initial infection vector, they believe the attackers could have leveraged phishing, malicious downloads, or other web-based delivery methods as possible entry points.