Threat Research

Rebex-based Telegram RAT Targeting Vietnam

DmpDump
A trojanized CHM sample uploaded to VirusTotal from Vietnam drops a renamed Python runtime and a C++ DLL that decrypts a large embedded blob to deploy multiple components (msbuild XML, .NET loader, final Rebex-based Telegram RAT) and establishes persistence via a Winlogon shell hijack and a scheduled task. The final payload is a weaponized Rebex.Common.dll that communicates with attackers via a Telegram bot token and supports command execution, file download, and token swapping. #TelegramRAT #RebexCommon

Keypoints

  • On 2026-04-01 a ZIP (CV – Vu PLPC So2156516.zip) uploaded from Vietnam contained a trojanized CHM (Word Document – CV – Vu PLPC KT nam 2026.chm) that uses a fake “document corrupt” prompt to trigger execution.
  • The CHM’s embedded HTML constructs OBJECT tags that run hh.exe to decompile contents to %tmp% and then executes a renamed Python interpreter (_pJifgWSwPi.exe) against an extracted .pyc.
  • The extracted C++ DLL (_WwWQPVGiYq.dll) decrypts an embedded blob (Word Document – 2026 BBBC.docx) using two XOR layers to drop mechaniSm.xml, a .csproj/.NET DLL loader (ioy24euj.dll), and other payloads to %AppData%/Local/Temp.
  • Persistence is implemented by setting environment variables under HKCUEnvironment, hijacking HKCU Winlogon Shell, and creating a Scheduled Task named “Doubt” that shuts down the system weekly (Friday midnight) as part of the chain.
  • The msbuild.exe-based mechaniSm.xml loads ioy24euj.dll, which base64/XOR-decodes and decompresses an in-memory .NET payload — a weaponized Rebex.Common.dll — that contains a Telegram-based RAT.
  • The RAT contains a hard-coded Telegram bot token and chat_id, uses Rebex.Net WebClient for C2 (with optional SOCKS5), accepts remote commands (ping, token swap, file download, and arbitrary cmd.exe execution), and currently has 0 VT detections for the final DLL.

MITRE Techniques

  • [T1204 ] User Execution – CHM lure requires user interaction to start the chain (‘When the victim opens the CHM file, they are presented with a fake message … the script embedded into the HTML initiates the infection when the victim clicks on either ‘Yes’ or ‘No’’)
  • [T1059.003 ] Command and Scripting Interpreter: Windows Command Shell – The CHM triggers cmd.exe to run hh.exe and launch extracted components (‘cmd.exe, /c start /min cmd /c “hh -decompile %tmp%rupt … && start /min cmd /c %tmp%rupt_MecerYleDG_WcWWXugOou_pJifgWSwPi.exe %tmp%rupt_MecerYleDG_xSiWWWuYLk.pyc”‘)
  • [T1059.006 ] Command and Scripting Interpreter: Python – A renamed Python interpreter is executed against a compiled .pyc to load a DLL (‘…_pJifgWSwPi.exe %tmp%rupt_MecerYleDG_xSiWWWuYLk.pyc’)
  • [T1218 ] Signed Binary Proxy Execution – msbuild.exe is used to run mechaniSm.xml which loads a .NET DLL loader (ioy24euj.dll) (‘Runs mechaniSm.xml with msbuild.exe, loading ioy24euj.dll.’)
  • [T1053 ] Scheduled Task/Job – A scheduled task named “Doubt” is created to shut down the system every Friday at midnight (‘Creates a scheduled task to shutdown the system every Friday at midnight, possibly to trigger the persistence mechanism.’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The threat actor hijacks the Winlogon Shell in HKCU to achieve persistence (‘Establishes persistence by implementing a Shell hijack in HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v Shell.’)

Indicators of Compromise

  • [File Hash ] Delivery and samples – CV – Vu PLPC So2156516.zip: 6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee, Word Document – CV – Vu PLPC KT nam 2026.chm: a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21 (and 2 more hashes)
  • [File Name ] Extracted and dropped components – Word Document – 2026 BBBC.docx (encrypted blob), _WwWQPVGiYq.dll (DLL decrypted/loaded)
  • [File Name ] Supporting payloads – mechaniSm.xml (msbuild XML), ioy24euj.dll (.NET loader), ug35idhv.lnk (startup shortcut checked/deleted)
  • [Registry Key ] Persistence artifacts – HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon /v Shell (shell hijack); HKCUEnvironment entries (Msbd, Pyps, Temprd) used to execute msbuild/powershell)
  • [Scheduled Task ] Task name and behavior – Scheduled Task “Doubt” created to shutdown the system every Friday at midnight (persistence-related behavior)
  • [Mutex ] Runtime artifact – mutex named ODmVyekhvWKUFqvMEsyzbMpgpDcEdrJmGaLxpAMLvBjWXnOQvlottEzBOFftA observed in the .NET loader
  • [Credential / Bot Token ] C2 credentials – Telegram bot token: 8243072398:AAGPfDYBv88654nDZ0uHfVLy5X99vFo9GB0; chat_id: 8323854499

Read more: https://dmpdump.github.io/posts/TelegramRat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint