New Malware Framework Grants Screen Control, Browser Access, UAC Bypass
Key Takeaways A new malware framework, TencShell, has been identified, offering comprehensive remote control over compromised systems, including screen control, browser data access, and UAC bypass...
Key Takeaways
- A new malware framework, TencShell, has been identified, offering comprehensive remote control over compromised systems, including screen control, browser data access, and UAC bypass capabilities.
- TencShell is a customized version of the open-source Rshell framework, designed to mimic legitimate Tencent API traffic to evade detection.
- The malware was recently detected and blocked during an attack against a global manufacturing company, initiated through a compromised third-party connection in India.
- This incident highlights a growing trend where threat actors repurpose readily available offensive tools to execute sophisticated, targeted intrusions with reduced effort.
Cybersecurity researchers have uncovered a sophisticated new malware framework, dubbed TencShell, which grants attackers extensive remote control over infected machines. This previously unknown implant was recently observed in an active deployment against a multinational manufacturing firm, underscoring the escalating threat posed by adapted open-source offensive tools.
Table Of Content
The discovery, detailed in a report by analysts at Cato Networks, illustrates how threat actors are increasingly leveraging and customizing publicly available frameworks to execute targeted intrusions. This approach significantly lowers the barrier to entry for conducting advanced attacks, allowing for potent and difficult-to-detect tools to be developed with less investment in bespoke malware creation.
The attempted intrusion, intercepted in April 2026 at the manufacturing company’s India operations, was traced to a third-party user who had legitimate access to the customer’s internal network. Cato Networks successfully blocked the attack before the threat actor could establish persistent remote control, preventing further compromise.
The investigation revealed a meticulously crafted attack chain, featuring layered payloads, disguised file types, and command-and-control (C2) communications engineered to blend seamlessly with routine web traffic. While the initial infection vector remains unconfirmed, it is presumed to have been a result of phishing, a malicious download, or another web-based delivery mechanism.
Advanced Capabilities of TencShell
TencShell is a tailored variant of Rshell, an open-source framework popular in offensive security circles for its cross-platform utility. The threat actor behind TencShell customized Rshell by integrating communication patterns that closely emulate Tencent-style API traffic. This strategic disguise allows malicious requests to masquerade as benign application activity, making detection considerably more challenging. The name “TencShell” itself is a portmanteau, combining “Tenc” from its Tencent-like C2 paths and “Shell” reflecting its core remote access functionality.
The broader implications of TencShell extend beyond this single incident. The ease with which threat actors can adapt existing offensive frameworks to create potent, stealthy tools signals a worrying trend. This accessibility democratizes advanced attack capabilities, enabling a wider array of malicious actors to conduct sophisticated operations without requiring extensive custom malware development.
As a full operator framework, TencShell’s capabilities are extensive, far surpassing basic command execution. Analysis of recovered code modules confirms that the implant supports:
- Screen capture
- Live screen streaming via WebSocket
- Real-time keyboard and mouse simulation
Integrated functions such as SendInput, MouseClick, KeyTap, and GetScreenWebSocket provide operators with direct, interactive control over an compromised host, effectively allowing them to operate the system as if they were physically present.
Beyond remote control, TencShell incorporates specialized routines designed to extract browser artifacts from both Google Chrome and Microsoft Edge. Recovered opcodes reveal commands for reading and clearing saved sessions, login credentials, and cookies from these browsers. This functionality creates a direct pathway for credential theft and session hijacking, posing a significant risk to any organization where TencShell gains a foothold.
A notable feature of TencShell is its User Account Control (UAC) bypass module, identified by the opcode UAC_BYPASS. This module enables the attacker to escalate privileges without triggering the standard Windows security prompts, thereby maintaining stealth and expanding their control. Coupled with SOCKS5 proxying, dynamic-link library (DLL) loading, file transfer capabilities, and a persistence mechanism disguised as “OneDriveHealthTask” within a registry run key, TencShell is engineered for long-term, covert access rather than rapid, disruptive attacks.
TencShell Infection Chain and Delivery Method
The TencShell attack observed by Cato Networks followed a well-structured, multi-stage delivery process. The initial access led to the execution of a lightweight, first-stage dropper. This dropper was designed to be small and inconspicuous, primarily tasked with fetching the subsequent payload while using a fake User-Agent to camouflage its outbound requests within regular network traffic.
The dropper then retrieved a file that appeared to be a standard web font file with a .woff extension. However, this file contained Donut shellcode, an open-source tool renowned for its ability to load Windows payloads directly into memory, thus circumventing the need to write files to disk. This clever masquerade ensures that the payload delivery resembles a routine browser asset fetch, rather than a malicious operation.
Upon retrieval, the Donut shellcode was loaded into a memory region, marked as executable, and launched within the originating process via a new thread. Donut subsequently reflectively mapped the TencShell implant into memory, completing the infection chain and preparing the malware for active command-and-control communications.
What You Should Do
Defenders are urged to implement robust monitoring and detection strategies to counter threats like TencShell. Specific mitigation steps include:
- Monitor Outbound Network Traffic: Scrutinize all outbound requests for unusual activity, especially connections to unfamiliar endpoints or unexpected
.woffpaths outside of normal browser contexts. - Enhance Endpoint Detection: Deploy advanced Endpoint Detection and Response (EDR) solutions capable of identifying in-memory execution, reflective DLL loading, and UAC bypass attempts.
- Review Registry Autorun Entries: Regularly audit the Windows Registry for suspicious autorun entries, particularly those disguised as legitimate system tasks like “OneDriveHealthTask.”
- Implement Least Privilege: Enforce the principle of least privilege for all users and third-party connections to minimize the impact of a compromised account.
- User Awareness Training: Conduct continuous training for employees on phishing prevention and safe browsing habits to reduce the likelihood of initial infection.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 45[.]64[.]52[.]242 | Attacker-controlled C2 infrastructure |
| IP Address | 192[.]238[.]134[.]166 | Attacker-controlled C2 infrastructure |
| IP Address | 45[.]115[.]38[.]27 | Attacker-controlled C2 infrastructure |
| Domain | gin-tne-fahcesmukw[.]cn-hangzhou[.]fcapp[.]run | Attacker-controlled C2 domain |
| SHA256 Hash | c3ecb90c9915daa23aec51f93ff8665778866f05 | TencShell-related malware sample |
| SHA256 Hash | 92b2413578c8ba9708df6091660af53acdc505f3 | TencShell-related malware sample |
| SHA256 Hash | 33f6d4f4269cec740a5eb05e41a4c7926742606b | TencShell-related malware sample |
| SHA256 Hash | 18f22d3337facbbd0047c19f4efdea75ccb9e3ec | TencShell-related malware sample |
| SHA256 Hash | 793cb9b1d7846afa4fb8e900d6e9ed9501dc3e7e | TencShell-related malware sample |
| SHA256 Hash | 673b4f2682f29b19ecabf9a6ec9c3042c9b1cfb3 | TencShell-related malware sample |
| SHA256 Hash | 9dbdddf1dda680ab750a707084839fe970266964 | TencShell-related malware sample |
| SHA256 Hash | 12f76f48727916d6c05f53f8cd94915db5de5ffcbfa02c4807c27e090cfa47c | TencShell-related malware sample |
| SHA256 Hash | 14ae8de40153c66455d972e6e98fe06fb68db7301ba126557e96599527bc5509 | TencShell-related malware sample |
| SHA256 Hash | c1ba73df60e12b3feb8b5574e65cfceb6910460ab7fae2cf5554769fafdad049 | TencShell-related malware sample |
| SHA256 Hash | e5eff99959683480d2280c931e433af836adf6a8b7a8489b1af17cddcf480cf6 | TencShell-related malware sample |
| SHA256 Hash | 30fe91200a2bb4aed13b1a1ba4ec8fd4454566f5929ffed4f537d9a87c1bf118 | TencShell dropper or payload |
| SHA256 Hash | 77f6bec5dd217151fcd03087a6e7ba1070f0fa603801fb128a4097076c9976d3 | TencShell dropper or payload |
| SHA256 Hash | 6ed6058f0b0735ba56b781dea39353625fcb56bc3e77bf2d26a648511d754d21 | TencShell dropper or payload |
| Registry Key | SoftwareMicrosoftWindowsCurrentVersionRun | Persistence registry run key used by TencShell |
| Registry Value | OneDriveHealthTask | Registry value name used by TencShell for autorun persistence |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.