China-Linked Hackers Deploy New TencShell Malware Against Global Manufacturer

**Executive summary:** Cato Networks’ researchers blocked an intrusion targeting an Indian site of a global manufacturer and analyzed an undocumented Go-based implant named TencShell, a customized variant of the Rshell C2 framework. The operation used a first-stage dropper, Donut shellcode, a masqueraded .woff web-font, in-memory payload execution and web-like C2 traffic spoofing Tencent-style API paths; investigators suspect a China-linked actor but say attribution is not definitive.