New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass

HomeCyber Security News New Malware Framework Enables Screen Control, Browser Artifact Access, and UAC Bypass By Tushar Subhra Dutta May 14, 2026 A newly uncovered malware framework is raising serious alarms across the cybersecurity community. Researchers have identified a previously unknown implant called TencShell, a sophisticated tool capable of giving attackers full remote control over a compromised system. The discovery highlights how threat actors are quietly repurposing publicly available offensive tools to carry out targeted intrusions with far less effort than before. TencShell was found actively deployed against a global manufacturing company with regional operations spread across multiple countries. The attack was intercepted at the company’s India site and traced back to a third-party user with a legitimate connection to the customer’s internal environment. Attackers exploited that trusted access as a bridge, effectively turning a routine business relationship into a dangerous and highly capable entry point. Analysts at Cato Networks identified the attempted intrusion in April 2026 and blocked it before the attacker could establish durable remote control. Their investigation revealed a carefully constructed attack chain involving staged payloads, masqueraded file types, and command-and-control communication specifically designed to blend into normal web traffic. The initial infection vector remains unknown but likely involved phishing, a malicious download, or another web-based delivery method. Screen Control, UAC Bypass, and Browser Artifact Access TencShell is derived from Rshell, an open-source framework designed for cross-platform offensive security use. The threat actor customized and repackaged it, adding communication patterns that closely mimic Tencent-style API traffic to make malicious requests look like ordinary application activity. The name combines “Tenc” for those Tencent-like C2 paths and “Shell” for its core remote access behavior. The broader concern goes beyond this single incident. Attackers no longer need custom malware development pipelines to pull off a sophisticated intrusion. Adapting freely available offensive frameworks is often enough to build a capable, hard-to-detect tool, and that reality lowers the barrier for a much wider range of threat actors. TencShell functions as a full operator framework, and its capabilities stretch far beyond basic command execution. Recovered code modules confirm that the implant supports screen capture, live screen streaming over WebSocket, and real-time keyboard and mouse simulation. Functions like SendInput, MouseClick, KeyTap, and GetScreenWebSocket were all embedded within the tool, giving an operator direct interactive control of an infected host. Extracted TencShell package paths and function names (Source – CATO Networks) The implant also includes dedicated routines for accessing browser artifacts from both Chrome and Microsoft Edge. Recovered opcodes confirm operations for reading and clearing saved sessions, login data, and cookies from both browsers. This creates a direct path to credential theft and session hijacking for any organization where TencShell takes hold. A UAC bypass module, documented under the opcode UAC_BYPASS, allows the attacker to gain elevated privileges without triggering the standard Windows security prompt. Combined with SOCKS5 proxying, DLL loading, file transfer, and persistence through a registry run key disguised as “OneDriveHealthTask,” TencShell is built for long-term, stealthy access rather than a quick smash-and-grab. TencShell Infection Chain and Delivery Method The attack followed a clear multi-stage delivery pattern. A lightweight first-stage dropper was executed after initial access, designed to stay small and quietly pull down the next payload while using a fake User-Agent to blend outbound requests into normal traffic. OencShell infection chain (Source – CATO Networks) The dropper then retrieved what appeared to be a standard web font file with a .woff extension, the kind websites routinely use to load custom typefaces. Inside that file was Donut shellcode, an open-source tool capable of loading Windows payloads directly in memory, bypassing the need to write anything to disk. This disguise helps the request look like a routine browser asset fetch rather than a malware delivery operation. After retrieval, the shellcode was loaded into a memory region, marked as executable, and launched through a new thread within the originating process. Donut then reflectively mapped TencShell into memory, completing the chain and preparing the implant for active command-and-control communication. Security teams are advised to flag unusual outbound requests to unfamiliar endpoints, unexpected .woff paths outside of normal browser context, and unknown autorun entries in the Windows Registry. Indicators of Compromise (IoCs):- Type Indicator Description IP Address 45[.]64[.]52[.]242 Attacker-controlled C2 infrastructure  IP Address 192[.]238[.]134[.]166 Attacker-controlled C2 infrastructure  IP Address 45[.]115[.]38[.]27 Attacker-controlled C2 infrastructure  Domain gin-tne-fahcesmukw[.]cn-hangzhou[.]fcapp[.]run Attacker-controlled C2 domain  SHA256 Hash c3ecb90c9915daa23aec51f93ff8665778866f05 TencShell-related malware sample  SHA256 Hash 92b2413578c8ba9708df6091660af53acdc505f3 TencShell-related malware sample  SHA256 Hash 33f6d4f4269cec740a5eb05e41a4c7926742606b TencShell-related malware sample  SHA256 Hash 18f22d3337facbbd0047c19f4efdea75ccb9e3ec TencShell-related malware sample  SHA256 Hash 793cb9b1d7846afa4fb8e900d6e9ed9501dc3e7e TencShell-related malware sample  SHA256 Hash 673b4f2682f29b19ecabf9a6ec9c3042c9b1cfb3 TencShell-related malware sample  SHA256 Hash 9dbdddf1dda680ab750a707084839fe970266964 TencShell-related malware sample  SHA256 Hash 957b8eaa7e25b4d9ca1050cd7ab19e4a2add707d TencShell-related malware sample  SHA256 Hash 12f76f48727916d6c05f53f8cd94915db5de5ffcbfa02c4807c27e090cfa47c TencShell-related malware sample  SHA256 Hash 14ae8de40153c66455d972e6e98fe06fb68db7301ba126557e96599527bc5509 TencShell-related malware sample  SHA256 Hash c1ba73df60e12b3feb8b5574e65cfceb6910460ab7fae2cf5554769fafdad049 TencShell-related malware sample  SHA256 Hash e5eff99959683480d2280c931e433af836adf6a8b7a8489b1af17cddcf480cf6 TencShell-related malware sample  SHA256 Hash 30fe91200a2bb4aed13b1a1ba4ec8fd4454566f5929ffed4f537d9a87c1bf118 TencShell dropper or payload  SHA256 Hash 77f6bec5dd217151fcd03087a6e7ba1070f0fa603801fb128a4097076c9976d3 TencShell dropper or payload  SHA256 Hash 6ed6058f0b0735ba56b781dea39353625fcb56bc3e77bf2d26a648511d754d21 TencShell dropper or payload  Registry Key \Software\Microsoft\Windows\CurrentVersion\Run Persistence registry run key used by TencShell  Registry Value OneDriveHealthTask Registry value name used by TencShell for autorun persistence  Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New PCPJack Worm Targets Docker, Kubernetes, Redis, and MongoDB for Credential Theft Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks Vidar Malware Targets Browser Credentials, Cookies, Crypto Wallets, and System Data OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta Critical Microsoft 365 Copilot Vulnerabilities Expose sensitive Information Latest News Cyber Security News Anthropic’s Mythos AI Reportedly Found macOS Vulnerabilities that Could Bypass Apple Security Cyber Security News Hackers Compromise 170 npm Packages to Steal GitHub, npm, AWS, and Kubernetes Secrets Cyber Security News Critical Canon MailSuite Vulnerability Enables Remote Code Execution Attacks Cyber Security News TeamPCP and BreachForums Hackers Running $1,000 Contest for Supply Chain Attacks Cyber Security News Amazon Quick Bug Exposed AI Chat Agents to Users Blocked by Custom Permissions