New “TencShell” Malware Weaponizes Open-Source Rshell via Third-Party Access

Security researchers have exposed a highly stealthy attempted intrusion that weaponized an open-source framework into a potent new malware strain dubbed “TencShell.”

In April 2026, the threat intelligence team at Cato CTRL successfully intercepted and thwarted an attack aimed at a global manufacturing organization. The attackers did not smash through the front door; instead, they exploited a trusted connection, with the malicious activity tracing back to traffic associated with a third-party user already connected to the customer’s environment.

“A C2 framework deployed through third-party access can turn a trusted business connection into an attacker-controlled bridge,” the Cato CTRL Executive Summary warned.

At the heart of the attack was TencShell, a previously undocumented, Go-based implant. Rather than building an exploit from scratch, the adversaries derived TencShell from the publicly available Rshell command-and-control (C2) framework.

The threat actors went to great lengths to camouflage their activity. The attack chain kicked off with a first-stage dropper that utilized Donut shellcode before executing a clever disguise: hiding the malicious payload as a masqueraded .woff web-font resource. From there, the malware performed memory injection and established web-like C2 communication.

Researchers suspect the attack may be China-linked, pointing to the malware’s Rshell lineage, its impersonation of Tencent-themed APIs, and specific infrastructure patterns. However, the report cautions that these indicators alone are not enough for a definitive attribution.

If the TencShell installation had been fully successful, the threat actors would have gained the ability to execute remote commands, steal credentials, inspect files, and pivot deeper into internal systems that were not directly exposed to the internet.

The discovery of TencShell highlights a growing and dangerous trend in the cyber underworld: the repurposing of legitimate or open-source offensive security tools by malicious actors.

“Attackers no longer need custom malware development pipelines to conduct sophisticated intrusions. Adaptable open-source tooling is often enough.”

By customizing Rshell into a practical post-exploitation tool, the attackers gained capabilities for in-memory execution, proxying, pivoting, and system profiling. As the report states, “Rather than building a completely new malware family, the attacker adapted available offensive tooling and attempted to blend the activity into normal enterprise traffic.”

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Do Son

Do Son (aka Ddos) is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.