{
  "name": "Rebex-based Telegram RAT Targeting Vietnam",
  "slug": "rebex-based-telegram-rat-targeting-vietnam",
  "description": "A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.",
  "published": "2026-04-29T07:42:07+00:00",
  "created_at": "2026-04-29T07:42:07+00:00",
  "modified_at": "2026-04-29T08:14:19+00:00",
  "created_at_opencti": "2026-04-29T07:42:07+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-04-29",
    "chm infection",
    "multi-stage payload",
    "python loader",
    "rebex library",
    "shell hijacking",
    "telegram rat",
    "vietnam targeting",
    "xor encryption"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2"
      },
      {
        "id": "",
        "name": "a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21"
      },
      {
        "id": "",
        "name": "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee"
      },
      {
        "id": "",
        "name": "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5"
      },
      {
        "id": "",
        "name": "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c"
      }
    ],
    "attack_patterns": [
      {
        "id": "6ccd4566-e15e-40cf-b7df-4a3f737ce5cd",
        "name": "T1036.005"
      },
      {
        "id": "79525d9e-3824-4347-a471-7dcea20fd864",
        "name": "T1583.006"
      },
      {
        "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f",
        "name": "T1071.001"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6",
        "name": "T1204.002"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "dc410646-9cdd-427b-92e7-179a54f78f90",
        "name": "T1566.001"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "29a20d73-65dc-4dc0-b5de-d943bc32d282",
        "name": "T1218.001"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "05ac27d4-58d0-44b2-a984-cd5aefd1f7f9",
        "name": "T1497.001"
      },
      {
        "id": "1e573653-8e3c-42df-abd2-df73bd3e1266",
        "name": "T1218.004"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "2fca0274-42fc-483e-a1e3-d9c4ba687d2d",
        "name": "T1574.001"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ]
  },
  "external_refs": [
    "https://otx.alienvault.com/pulse/69f1d26f3c7a8e098eccb448",
    "https://dmpdump.github.io/posts/TelegramRat/"
  ]
}