Skip to content

TencShell: Go-Based Backdoor Impersonates Tencent API Traffic

The bottom line: TencShell backdoor obfuscates C2 traffic as Tencent API requests to evade detection and enables remote access, data theft, and lateral network movement.

A newly discovered Go-based backdoor trojan named TencShell obfuscates its command-and-control traffic as API requests to Tencent and is allegedly deployed by Chinese threat actors. The malware enables remote access, data exfiltration, and lateral network movement.

TencShell is a backdoor trojan written in Go that disguises its C2 traffic by obfuscating it as API requests to the Chinese platform Tencent. This technique is designed to complicate network detection and security analysis by making malware traffic appear as legitimate business communications to a well-known service.

For CISO teams, this variant is relevant because it combines multiple attack patterns: it provides remote access capabilities to threat actors, enables targeted data theft, and supports lateral network movement for propagation within environments. The obfuscation pattern — abusing legitimate API endpoints of well-known companies — complicates traditional signature-based detection and requires behavioral analysis or TLS inspection.

Effective defense combines network monitoring of lateral data flows, endpoint detection and response for suspicious Go process execution, elevated access controls and segmentation against lateral movement, and regular threat hunts for C2 communication patterns — even when disguised as APIs.


Source: www.security-insider.de · Published 3 July 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.7.2.

Share on: