New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass

A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have identified a previously unknown implant called TencShell, a sophisticated tool capable of giving attackers full remote control over a compromised system.

The discovery highlights how threat actors are quietly repurposing publicly available offensive tools to carry out targeted intrusions with far less effort than before.

TencShell was found actively deployed against a global manufacturing company with regional operations spread across multiple countries.

The attack was intercepted at the company’s India site and traced back to a third-party user with a legitimate connection to the customer’s internal environment.

Attackers exploited that trusted access as a bridge, effectively turning a routine business relationship into a dangerous and highly capable entry point.

Analysts at Cato Networks identified the attempted intrusion in April 2026 and blocked it before the attacker could establish durable remote control.

Their investigation revealed a carefully constructed attack chain involving staged payloads, masqueraded file types, and command-and-control communication specifically designed to blend into normal web traffic.

The initial infection vector remains unknown but likely involved phishing, a malicious download, or another web-based delivery method.

Screen Control, UAC Bypass, and Browser Artifact Access

TencShell is derived from Rshell, an open-source framework designed for cross-platform offensive security use.

The threat actor customized and repackaged it, adding communication patterns that closely mimic Tencent-style API traffic to make malicious requests look like ordinary application activity.

The name combines “Tenc” for those Tencent-like C2 paths and “Shell” for its core remote access behavior.

The broader concern goes beyond this single incident. Attackers no longer need custom malware development pipelines to pull off a sophisticated intrusion.

Adapting freely available offensive frameworks is often enough to build a capable, hard-to-detect tool, and that reality lowers the barrier for a much wider range of threat actors.

TencShell functions as a full operator framework, and its capabilities stretch far beyond basic command execution.

Recovered code modules confirm that the implant supports screen capture, live screen streaming over WebSocket, and real-time keyboard and mouse simulation.

Functions like SendInput, MouseClick, KeyTap, and GetScreenWebSocket were all embedded within the tool, giving an operator direct interactive control of an infected host.

The implant also includes dedicated routines for accessing browser artifacts from both Chrome and Microsoft Edge. Recovered opcodes confirm operations for reading and clearing saved sessions, login data, and cookies from both browsers.

This creates a direct path to credential theft and session hijacking for any organization where TencShell takes hold.

A UAC bypass module, documented under the opcode UAC_BYPASS, allows the attacker to gain elevated privileges without triggering the standard Windows security prompt.

Combined with SOCKS5 proxying, DLL loading, file transfer, and persistence through a registry run key disguised as “OneDriveHealthTask,” TencShell is built for long-term, stealthy access rather than a quick smash-and-grab.

TencShell Infection Chain and Delivery Method

The attack followed a clear multi-stage delivery pattern. A lightweight first-stage dropper was executed after initial access, designed to stay small and quietly pull down the next payload while using a fake User-Agent to blend outbound requests into normal traffic.

The dropper then retrieved what appeared to be a standard web font file with a .woff extension, the kind websites routinely use to load custom typefaces.

Inside that file was Donut shellcode, an open-source tool capable of loading Windows payloads directly in memory, bypassing the need to write anything to disk.

This disguise helps the request look like a routine browser asset fetch rather than a malware delivery operation.

After retrieval, the shellcode was loaded into a memory region, marked as executable, and launched through a new thread within the originating process.

Donut then reflectively mapped TencShell into memory, completing the chain and preparing the implant for active command-and-control communication.

Security teams are advised to flag unusual outbound requests to unfamiliar endpoints, unexpected .woff paths outside of normal browser context, and unknown autorun entries in the Windows Registry.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.