New Malware Framework Enables Screen Control and UAC Bypass

The rise of fileless malware has accelerated as threat actors increasingly co‑opt open‑source frameworks, and TencShell exemplifies this trend. By forking Rshell—a Go‑based C2 platform originally intended for red‑team testing—attackers injected a lightweight dropper that fetched Donut shellcode concealed within a .woff web‑font. This approach bypasses traditional file‑based scanners, as the payload lives only in memory, and the use of a legitimate‑looking web resource helps it blend into normal traffic. Such tactics underscore the need for behavioral analytics that can spot anomalous API patterns and unexpected network calls.

Beyond evasion, TencShell packs a potent arsenal of post‑exploitation capabilities. The implant can capture the desktop, simulate mouse clicks and keystrokes, and harvest Chrome or Edge artifacts, giving adversaries direct access to credential stores and session tokens. Its built‑in SOCKS5 proxy enables lateral movement across internal segments, while a custom UAC bypass raises privileges without user consent. Persistence is achieved through a Registry Run key disguised as "OneDriveHealthTask," a clever subterfuge that can survive reboots and evade casual inspection. For a manufacturing firm with extensive third‑party integrations, such a foothold could translate into intellectual‑property theft or sabotage of production lines.

The successful interception by Cato CTRL highlights the importance of multi‑layered defenses against sophisticated, fileless threats. Organizations should augment signature‑based tools with threat‑intel feeds that flag suspicious URL structures and mimicry of popular services like Tencent. Continuous monitoring of process injection, memory‑only execution, and unusual registry modifications can reveal hidden implants early. Moreover, tightening third‑party access controls, enforcing least‑privilege principles, and conducting regular red‑team exercises will reduce the attack surface that TencShell and similar frameworks seek to exploit. Proactive visibility into network traffic and endpoint behavior remains the most effective countermeasure against these evolving intrusion kits.