TencShell is a previously undocumented Go-based implant derived from the open-source Rshell framework and assessed as likely associated with China-nexus intrusion activity. It has been observed in espionage-oriented operations targeting manufacturing, supply chain, government, public sector, and financial services environments across multiple regions. The malware functions as a modular remote-access implant that provides attackers with broad post-compromise control over infected systems.
Documented capabilities include remote command execution, in-memory execution of additional payloads, file transfer, SOCKS5 proxying, multiplexed tunneling, WebSocket-based command and control, system profiling, process and file management, remote screen capture and streaming, and interactive keyboard and mouse control. Analysis also indicates support for browser artifact access, including theft of saved sessions, cookies, and login data from Chromium-based browsers, creating opportunities for both credential theft and session hijacking. TencShell also includes persistence functionality and a UAC bypass capability to facilitate privilege escalation and sustained access.
Observed delivery involved a multi-stage infection chain in which a lightweight first-stage dropper retrieved shellcode disguised as benign content and used reflective in-memory loading to execute the implant without a conventional on-disk payload deployment. In a separate infrastructure-linked campaign, TencShell was also associated with broader intrusion operations involving phishing infrastructure, credential harvesting, exploitation of public-facing applications, and parallel command-and-control redundancy. Linux variants tied to the same infrastructure have been reported, including ARM and x86 builds with capabilities such as credential and cloud-key theft, file upload and download, and remote control functions.
TencShell has been linked to infrastructure used in campaigns against organizations in Taiwan, Thailand, Afghanistan, the United States, India, and financial services targets spanning Europe, Australia, and Asia. The malware’s use alongside reconnaissance tooling, exploit development assets, phishing pages, and stolen operational data indicates its role as a post-exploitation implant within a broader espionage toolkit rather than a standalone commodity malware family.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
32 distinct techniques documented for this family, organized by ATT&CK tactic.
The attack was intercepted at the company’s India site and traced back to a third-party user with a legitimate connection to the customer’s internal environment. Attackers exploited that trusted access as a bridge, effectively turning a routine business relationship into a dangerous and highly capable entry point.
0x0B EXECUTE_COMMAND Execute system command... 0x17 INTERACTIVE_SHELL Launch shell session
If successful, TencShell could have given the attacker remote command execution, in-memory payload execution, proxying, pivoting, system profiling, and a path to deploy additional tooling.
During execution, TencShell invokes Windows Registry APIs through Go runtime wrappers to access and modify registry values.
After retrieval, the shellcode was loaded into a memory region, marked as executable, and launched through a new thread within the originating process.
Their investigation revealed a carefully constructed attack chain involving staged payloads, masqueraded file types, and command-and-control communication specifically designed to blend into normal web traffic.
The dropper then retrieved what appeared to be a standard web font file with a .woff extension, the kind websites routinely use to load custom typefaces. Inside that file was Donut shellcode
The next stage involved retrieving Donut shellcode through a masqueraded .woff resource... By placing malicious content behind a font-looking path or extension, the attacker makes the payload request appear like a routine static web asset.
Functions like SendInput, MouseClick, KeyTap, and GetScreenWebSocket were all embedded within the tool, giving an operator direct interactive control of an infected host.
The operation uncovered by Hunt researchers pivoted off known TencShell command-and-control (C2) infrastructure originally documented by Cato CTRL in May 2026.
TencShell used web-like communication patterns designed to make malicious traffic harder to distinguish from normal application traffic.
AZUREVEIL supports 36 commands that allow it to perform a wide range of post-compromise actions on the host, including ... port forwarding, SOCKS proxy control...
pkg/services/proxy/socks5.go Proxy traffic through the compromised host... pkg/services/proxy/mux/ Multiplex traffic for tunneling or pivoting
Combined with SOCKS5 proxying, DLL loading, file transfer, and persistence through a registry run key disguised as “OneDriveHealthTask,” TencShell is built for long-term, stealthy access
Some of the observed C2 paths used Tencent-like naming... This type of naming can help attacker-controlled traffic blend into normal web/API activity.
83 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named malware/C2 framework used in the China-linked espionage campaign as core command-and-control infrastructure supporting intrusion operations and stolen data staging.
TencShell is described as a command-and-control framework used in a China-linked cyber espionage campaign. It supported operational infrastructure tied to victim source code, custom exploit scripts, operator logs, phishing assets, and broader intrusion activity.
Go-based implant derived from the open-source Rshell framework and used as command-and-control malware in an active intrusion campaign. The content ties it to a broader operation targeting government and financial-sector entities and to infrastructure used for malware delivery and C2.
A previously undocumented Go-based implant derived from rshell that could provide remote command execution, in-memory payload execution, proxying, pivoting, and system profiling, enabling deployment of additional tooling.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.