Cybersecurity & Protection

TencShell: The Backdoor Trojan That Disguises C2 Traffic as Tencent API Calls

Jul 4, 2026 3 min read
All articles

Blending In with Legitimate Traffic

Researchers at Cato Networks' Cyber Threats Research Lab (CTRL) have uncovered a new Go-based backdoor trojan that disguises its command-and-control traffic as legitimate API requests to Tencent, the Chinese technology company. Named TencShell, the malware was caught during a targeted attack on a global industrial manufacturer before it could establish a persistent foothold.

TencShell is derived from Rshell, an open-source C2 framework, and was adapted into a capable post-exploitation implant. The name reflects its dual nature: "Tenc" points to the imitated Tencent API communication paths, while "Shell" describes the trojan's remote access functionality. Rather than using obvious malware callback paths, TencShell communicates through structured, API-like endpoints designed to resemble normal backend service requests, making the malicious traffic blend naturally into corporate network activity.

A Multi-Stage Infection Chain

The exact initial infection vector remains unknown, though classic entry points like phishing, malicious downloads, or web-based exploits are the most likely candidates. The observed infection chain unfolds in stages.

A first-stage dropper fetches shellcode disguised as a .woff web font resource. That shellcode loads the modified Rshell framework directly into memory, leaving no file on disk. This approach bypasses many signature-based detection methods. The modular design also gives the attacker operational flexibility: the lightweight entry component stays unchanged while downstream payloads can be hosted, updated, and iterated separately.

What TencShell Hands Attackers

Once deployed, TencShell gives attackers a broad toolkit: in-memory code execution, BOF-style module execution, proxying and tunneling, WebSocket-based C2 communication, and interactive remote control of the compromised system. This feature set matches mature post-exploitation frameworks, built entirely from adapted open-source tooling rather than purpose-built custom malware.

The threat is especially serious when attackers enter via a compromised third-party vendor connection. A single compromised endpoint can put your entire supply chain, production systems, intellectual property, and customer data at risk.

What You Should Take Away from This

Cato Networks stopped the attack by correlating signals across multiple sources: suspicious external infrastructure, host-level artifacts, payload staging behavior, and C2-like communication patterns. The core lesson is that security requires visibility across all layers, not just at isolated checkpoints.

Sophisticated attacks no longer require heavily customized malware. Threat actors adapt available open-source tools and try to hide their activity inside normal traffic. Detecting that requires behavioral monitoring, not just signature checks.