Rebex-based Telegram RAT Targeting Vietnam
A sophisticated malware campaign targeting Vietnamese victims uses a trojanized CV document in CHM format to deliver a multi-stage payload. The infection chain involves compiled HTML files, Python interpreters, C++ DLLs, and layered XOR encryption. Persistence is achieved via Shell hijacking and scheduled tasks. The payload includes a weaponized Rebex. Common. dll acting as a Telegram-based remote access trojan (RAT) that communicates through the Telegram bot API. The RAT supports commands such as file download, token swapping, and arbitrary command execution. The campaign exhibits characteristics of targeted state-sponsored activity rather than opportunistic cybercrime, with techniques linked to advanced threat actors in Southeast Asia. No known exploits in the wild or official patches are reported. The campaign is assessed as medium severity.
AI Analysis
Technical Summary
This campaign delivers a Telegram-based RAT via a trojanized CHM file posing as a CV document targeting Vietnamese users. The infection uses a multi-stage payload delivery involving Python loaders, C++ DLLs, and XOR encryption to evade detection. Persistence mechanisms include Shell hijacking and scheduled tasks. The RAT leverages the Rebex.Common.dll library to communicate with attackers through the Telegram bot API, enabling remote commands such as file exfiltration, token swapping, and arbitrary command execution. The campaign's complexity and targeting suggest state-sponsored origins. No patch or vendor advisory is available, and no cloud service is involved.
Potential Impact
The malware enables remote attackers to execute arbitrary commands, download files, and manipulate tokens on infected systems, potentially leading to data theft, system compromise, and unauthorized access. The use of persistence techniques increases the difficulty of removal. The targeted nature of the campaign suggests potential espionage or surveillance objectives against Vietnamese victims. There are no reports of widespread exploitation or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of official fixes, organizations should focus on user awareness to avoid opening trojanized CHM files, especially those masquerading as CV documents. Monitoring for indicators of compromise such as hashes associated with this campaign and unusual scheduled tasks or Shell hijacking activity is recommended. Since no vendor advisory or patch is available, defensive measures should prioritize detection and containment.
Affected Countries
Vietnam
Indicators of Compromise
- hash: ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5
- hash: 4e9e70c2a8002ce4a70ab43ae80c2a25
- hash: 0582822ea03854a3f465a28559be18a14c59f9a9
- hash: b3bf26bfbf7aec43379523bd18b1ec16
- hash: 687cee4e972323e6991acfa59f608a7d1a6e170b
- hash: 1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c
- hash: 67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2
- hash: 6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee
- hash: a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21
- hash: 783698157743014acd2df3e721c1ae4e
- hash: b30cfa26e5dbee1665944a7a94b1a07d
- hash: ca3401817dd1e29ca3f3212e38ad39cf
- hash: 040f07163335f89085b380a6c22841c1bc1ef798
- hash: 2acfaf21024e8f018fac3b38126036c594acf7dc
- hash: e468080f1f509c9cb704620a6344831bc7e40ee2
Rebex-based Telegram RAT Targeting Vietnam
Description
A sophisticated malware campaign targeting Vietnamese victims uses a trojanized CV document in CHM format to deliver a multi-stage payload. The infection chain involves compiled HTML files, Python interpreters, C++ DLLs, and layered XOR encryption. Persistence is achieved via Shell hijacking and scheduled tasks. The payload includes a weaponized Rebex. Common. dll acting as a Telegram-based remote access trojan (RAT) that communicates through the Telegram bot API. The RAT supports commands such as file download, token swapping, and arbitrary command execution. The campaign exhibits characteristics of targeted state-sponsored activity rather than opportunistic cybercrime, with techniques linked to advanced threat actors in Southeast Asia. No known exploits in the wild or official patches are reported. The campaign is assessed as medium severity.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign delivers a Telegram-based RAT via a trojanized CHM file posing as a CV document targeting Vietnamese users. The infection uses a multi-stage payload delivery involving Python loaders, C++ DLLs, and XOR encryption to evade detection. Persistence mechanisms include Shell hijacking and scheduled tasks. The RAT leverages the Rebex.Common.dll library to communicate with attackers through the Telegram bot API, enabling remote commands such as file exfiltration, token swapping, and arbitrary command execution. The campaign's complexity and targeting suggest state-sponsored origins. No patch or vendor advisory is available, and no cloud service is involved.
Potential Impact
The malware enables remote attackers to execute arbitrary commands, download files, and manipulate tokens on infected systems, potentially leading to data theft, system compromise, and unauthorized access. The use of persistence techniques increases the difficulty of removal. The targeted nature of the campaign suggests potential espionage or surveillance objectives against Vietnamese victims. There are no reports of widespread exploitation or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of official fixes, organizations should focus on user awareness to avoid opening trojanized CHM files, especially those masquerading as CV documents. Monitoring for indicators of compromise such as hashes associated with this campaign and unusual scheduled tasks or Shell hijacking activity is recommended. Since no vendor advisory or patch is available, defensive measures should prioritize detection and containment.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://dmpdump.github.io/posts/TelegramRat/"]
- Adversary
- null
- Pulse Id
- 69f1d26f3c7a8e098eccb448
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5 | — | |
hash4e9e70c2a8002ce4a70ab43ae80c2a25 | — | |
hash0582822ea03854a3f465a28559be18a14c59f9a9 | — | |
hashb3bf26bfbf7aec43379523bd18b1ec16 | — | |
hash687cee4e972323e6991acfa59f608a7d1a6e170b | — | |
hash1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c | — | |
hash67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2 | — | |
hash6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee | — | |
hasha0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21 | — | |
hash783698157743014acd2df3e721c1ae4e | — | |
hashb30cfa26e5dbee1665944a7a94b1a07d | — | |
hashca3401817dd1e29ca3f3212e38ad39cf | — | |
hash040f07163335f89085b380a6c22841c1bc1ef798 | — | |
hash2acfaf21024e8f018fac3b38126036c594acf7dc | — | |
hashe468080f1f509c9cb704620a6344831bc7e40ee2 | — |
Threat ID: 69f1dbedcbff5d8610f30bf0
Added to database: 4/29/2026, 10:22:37 AM
Last enriched: 4/29/2026, 10:38:35 AM
Last updated: 4/29/2026, 8:56:23 PM
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.