Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/New Malware Framework Grants Screen Control, Browser Access, UAC Bypass
Threats

New Malware Framework Grants Screen Control, Browser Access, UAC Bypass

Key Takeaways A new malware framework, TencShell, has been identified, offering comprehensive remote control over compromised systems, including screen control, browser data access, and UAC bypass...

David kimber
David kimber
May 14, 2026 5 Min Read
44 0

Key Takeaways

  • A new malware framework, TencShell, has been identified, offering comprehensive remote control over compromised systems, including screen control, browser data access, and UAC bypass capabilities.
  • TencShell is a customized version of the open-source Rshell framework, designed to mimic legitimate Tencent API traffic to evade detection.
  • The malware was recently detected and blocked during an attack against a global manufacturing company, initiated through a compromised third-party connection in India.
  • This incident highlights a growing trend where threat actors repurpose readily available offensive tools to execute sophisticated, targeted intrusions with reduced effort.

Cybersecurity researchers have uncovered a sophisticated new malware framework, dubbed TencShell, which grants attackers extensive remote control over infected machines. This previously unknown implant was recently observed in an active deployment against a multinational manufacturing firm, underscoring the escalating threat posed by adapted open-source offensive tools.

Table Of Content

  • Key Takeaways
  • Advanced Capabilities of TencShell
  • TencShell Infection Chain and Delivery Method
  • What You Should Do
  • Indicators of Compromise (IoCs):-

The discovery, detailed in a report by analysts at Cato Networks, illustrates how threat actors are increasingly leveraging and customizing publicly available frameworks to execute targeted intrusions. This approach significantly lowers the barrier to entry for conducting advanced attacks, allowing for potent and difficult-to-detect tools to be developed with less investment in bespoke malware creation.

The attempted intrusion, intercepted in April 2026 at the manufacturing company’s India operations, was traced to a third-party user who had legitimate access to the customer’s internal network. Cato Networks successfully blocked the attack before the threat actor could establish persistent remote control, preventing further compromise.

The investigation revealed a meticulously crafted attack chain, featuring layered payloads, disguised file types, and command-and-control (C2) communications engineered to blend seamlessly with routine web traffic. While the initial infection vector remains unconfirmed, it is presumed to have been a result of phishing, a malicious download, or another web-based delivery mechanism.

Advanced Capabilities of TencShell

TencShell is a tailored variant of Rshell, an open-source framework popular in offensive security circles for its cross-platform utility. The threat actor behind TencShell customized Rshell by integrating communication patterns that closely emulate Tencent-style API traffic. This strategic disguise allows malicious requests to masquerade as benign application activity, making detection considerably more challenging. The name “TencShell” itself is a portmanteau, combining “Tenc” from its Tencent-like C2 paths and “Shell” reflecting its core remote access functionality.

The broader implications of TencShell extend beyond this single incident. The ease with which threat actors can adapt existing offensive frameworks to create potent, stealthy tools signals a worrying trend. This accessibility democratizes advanced attack capabilities, enabling a wider array of malicious actors to conduct sophisticated operations without requiring extensive custom malware development.

As a full operator framework, TencShell’s capabilities are extensive, far surpassing basic command execution. Analysis of recovered code modules confirms that the implant supports:

  • Screen capture
  • Live screen streaming via WebSocket
  • Real-time keyboard and mouse simulation

Integrated functions such as SendInput, MouseClick, KeyTap, and GetScreenWebSocket provide operators with direct, interactive control over an compromised host, effectively allowing them to operate the system as if they were physically present.

Beyond remote control, TencShell incorporates specialized routines designed to extract browser artifacts from both Google Chrome and Microsoft Edge. Recovered opcodes reveal commands for reading and clearing saved sessions, login credentials, and cookies from these browsers. This functionality creates a direct pathway for credential theft and session hijacking, posing a significant risk to any organization where TencShell gains a foothold.

A notable feature of TencShell is its User Account Control (UAC) bypass module, identified by the opcode UAC_BYPASS. This module enables the attacker to escalate privileges without triggering the standard Windows security prompts, thereby maintaining stealth and expanding their control. Coupled with SOCKS5 proxying, dynamic-link library (DLL) loading, file transfer capabilities, and a persistence mechanism disguised as “OneDriveHealthTask” within a registry run key, TencShell is engineered for long-term, covert access rather than rapid, disruptive attacks.

TencShell Infection Chain and Delivery Method

The TencShell attack observed by Cato Networks followed a well-structured, multi-stage delivery process. The initial access led to the execution of a lightweight, first-stage dropper. This dropper was designed to be small and inconspicuous, primarily tasked with fetching the subsequent payload while using a fake User-Agent to camouflage its outbound requests within regular network traffic.

The dropper then retrieved a file that appeared to be a standard web font file with a .woff extension. However, this file contained Donut shellcode, an open-source tool renowned for its ability to load Windows payloads directly into memory, thus circumventing the need to write files to disk. This clever masquerade ensures that the payload delivery resembles a routine browser asset fetch, rather than a malicious operation.

Upon retrieval, the Donut shellcode was loaded into a memory region, marked as executable, and launched within the originating process via a new thread. Donut subsequently reflectively mapped the TencShell implant into memory, completing the infection chain and preparing the malware for active command-and-control communications.

What You Should Do

Defenders are urged to implement robust monitoring and detection strategies to counter threats like TencShell. Specific mitigation steps include:

  • Monitor Outbound Network Traffic: Scrutinize all outbound requests for unusual activity, especially connections to unfamiliar endpoints or unexpected .woff paths outside of normal browser contexts.
  • Enhance Endpoint Detection: Deploy advanced Endpoint Detection and Response (EDR) solutions capable of identifying in-memory execution, reflective DLL loading, and UAC bypass attempts.
  • Review Registry Autorun Entries: Regularly audit the Windows Registry for suspicious autorun entries, particularly those disguised as legitimate system tasks like “OneDriveHealthTask.”
  • Implement Least Privilege: Enforce the principle of least privilege for all users and third-party connections to minimize the impact of a compromised account.
  • User Awareness Training: Conduct continuous training for employees on phishing prevention and safe browsing habits to reduce the likelihood of initial infection.

Indicators of Compromise (IoCs):-

Type Indicator Description
IP Address 45[.]64[.]52[.]242 Attacker-controlled C2 infrastructure 
IP Address 192[.]238[.]134[.]166 Attacker-controlled C2 infrastructure 
IP Address 45[.]115[.]38[.]27 Attacker-controlled C2 infrastructure 
Domain gin-tne-fahcesmukw[.]cn-hangzhou[.]fcapp[.]run Attacker-controlled C2 domain 
SHA256 Hash c3ecb90c9915daa23aec51f93ff8665778866f05 TencShell-related malware sample 
SHA256 Hash 92b2413578c8ba9708df6091660af53acdc505f3 TencShell-related malware sample 
SHA256 Hash 33f6d4f4269cec740a5eb05e41a4c7926742606b TencShell-related malware sample 
SHA256 Hash 18f22d3337facbbd0047c19f4efdea75ccb9e3ec TencShell-related malware sample 
SHA256 Hash 793cb9b1d7846afa4fb8e900d6e9ed9501dc3e7e TencShell-related malware sample 
SHA256 Hash 673b4f2682f29b19ecabf9a6ec9c3042c9b1cfb3 TencShell-related malware sample 
SHA256 Hash 9dbdddf1dda680ab750a707084839fe970266964 TencShell-related malware sample 
SHA256 Hash 12f76f48727916d6c05f53f8cd94915db5de5ffcbfa02c4807c27e090cfa47c TencShell-related malware sample 
SHA256 Hash 14ae8de40153c66455d972e6e98fe06fb68db7301ba126557e96599527bc5509 TencShell-related malware sample 
SHA256 Hash c1ba73df60e12b3feb8b5574e65cfceb6910460ab7fae2cf5554769fafdad049 TencShell-related malware sample 
SHA256 Hash e5eff99959683480d2280c931e433af836adf6a8b7a8489b1af17cddcf480cf6 TencShell-related malware sample 
SHA256 Hash 30fe91200a2bb4aed13b1a1ba4ec8fd4454566f5929ffed4f537d9a87c1bf118 TencShell dropper or payload 
SHA256 Hash 77f6bec5dd217151fcd03087a6e7ba1070f0fa603801fb128a4097076c9976d3 TencShell dropper or payload 
SHA256 Hash 6ed6058f0b0735ba56b781dea39353625fcb56bc3e77bf2d26a648511d754d21 TencShell dropper or payload 
Registry Key SoftwareMicrosoftWindowsCurrentVersionRun Persistence registry run key used by TencShell 
Registry Value OneDriveHealthTask Registry value name used by TencShell for autorun persistence 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCybersecurityExploitMalwarephishingSecurityThreat

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical node-ipc npm Package Supply Chain Attack Lets Attackers Inject Malware

Next Post

Sandworm Shifts Focus to Critical OT Assets From IT Systems

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us