AN undocumented malware implant suspected to be associated with a China‑linked actor has been identified by researchers at Cato Networks’ Cyber Threats Research Lab (CTRL). Their discovery followed an intrusion attempt affecting the Indian branch of an unnamed global manufacturing customer with multiple regional sites in April 2026, which the researchers blocked, while also noting suspicious traffic from a third‑party user connected to the customer environment.
The operation used a first‑stage dropper, Donut shellcode, a masqueraded _.woff_ web‑font resource, memory injection and web‑like C2 communication, with the goal of delivering a customized Go‑based implant derived from the open‑source Rshell C2 framework.
The version observed is an undocumented variant of Rshell, repackaged for this operation, and researchers said it included communication and delivery changes that made it more suitable for the attacker’s campaign; according to a May 13 report, the implant was named ‘TencShell’ by Cato CTRL because it blends shell‑style remote‑control capabilities with C2 paths that imitate Tencent‑like web services.
Cato CTRL suspect the threat actor behind this operation to be based in China or linked to Chinese‑backed hacking groups, though they cautioned that the evidence is not sufficient on its own for attribution.