China-Linked Hackers Deploy New TencShell Malware Against Manufacturer

https://www.infosecurity-magazine.com/news/china-hackers-tencshell-malware/

Publish Date: 2026-05-19 00:36:15

Source Domain: www.infosecurity-magazine.com

Summary:
Researchers at Cato Networks’ Cyber Threats Research Lab (CTRL) discovered an undocumented malware implant, suspected to be affiliated with a China-linked actor, during their handling of an intrusion attempt targeting the Indian branch of a global manufacturing firm in April 2026. Although the Cato CTRL team successfully thwarted the attack, they uncovered suspicious traffic tied to a third-party user in the customer’s environment. The operation employed multiple advanced techniques, including a first-stage dropper (Donut shellcode), masquerading a.woff web-font resource, memory injection, and web-like command-and-control (C2) communication. The attackers aimed to install a Go-based implant named ‘TencShell,’ derived from the open-source Rshell framework and customized to fit the operation’s requirements. Although Cato CTRL highlighted that – The generated text has been blocked by our content filters.