Back to Intelligence

GlassWorm, EtherRAT & Rebex Telegram RAT: Blockchain & Messaging C2 Convergence

SA
Security Arsenal Team
April 29, 2026
6 min read

Recent OTX pulses indicate a concerning trend where threat actors are migrating C2 infrastructure to immutable blockchains (Solana, Ethereum) and popular messaging platforms (Telegram) to withstand takedowns. Three distinct campaigns were observed:

  1. GlassWorm: A supply chain attack targeting developers, using the Solana blockchain to fetch payloads and install surveillance extensions.
  2. Rebex-based Telegram RAT: A campaign specifically targeting Vietnamese victims via trojanized CHM (Compiled HTML) files, utilizing Python loaders and XOR encryption.
  3. EtherRAT: A North Korean APT-linked Node.js backdoor targeting the retail and software sectors, using "EtherHiding" (smart contracts) for C2 infrastructure.

Collectively, these threats demonstrate a shift toward "living-off-the-chain" infrastructure and sophisticated multi-stage loaders designed to bypass traditional network defenses.

Threat Actor / Malware Profile

MalwareDistributionPayload BehaviorC2 & CommsPersistenceTechniques
GlassWormCompromised code repositories/package managers.Installs fake browser extension & RAT. Steals crypto/dev creds.Uses Solana blockchain for payload retrieval; covert C2.Registry modifications (Browser extensions).Supply Chain Compromise, Blockchain Abuse.
Rebex Telegram RATTrojanized CV documents (.CHM).Python loader spawns C++ DLLs with XOR encryption.Telegram API.Shell hijacking, Scheduled Tasks.CHM Infection, Multi-stage payload, Python Loader.
EtherRAT (NK APT)IT Support Scams / Phishing.Node.js backdoor; arbitrary command execution.Ethereum Smart Contracts (EtherHiding); CDN-like beaconing.Node.js installation folders.Host Fingerprinting, CIS Language Check, Smart Contract Abuse.

IOC Analysis

The provided indicators consist primarily of file hashes for the multi-stage payloads of the Telegram RAT and network infrastructure (domains) associated with the EtherRAT campaign.

  • File Hashes (Pulse 2): A cluster of SHA256, MD5, and SHA1 hashes corresponding to the CHM dropper, Python loader, and encrypted C++ payloads.
  • Domains (Pulse 3): A list of domains (o-parana.com, rpc.payload.de, etc.) used for CDN-like beaconing and Ethereum RPC interaction.

Operational Guidance:

  • SOAR/EDR: Import the SHA256 hashes into EDR quarantine lists immediately. The Pulse 2 hashes include the initial dropper and subsequent payloads.
  • Network Security: Block the listed domains at the proxy/DNS firewall level. Note that rpc.payload.de mimics a legitimate RPC endpoint but is part of the EtherHiding infrastructure.
  • Threat Hunting: Use the hashes to hunt for artifacts on developer workstations and retail endpoints.

Detection Engineering

Sigma Rules

YAML
---
title: Potential GlassWorm Browser Extension Installation
id: 441f8a9a-1c2b-4f3d-8e9f-1a2b3c4d5e6f
description: Detects suspicious registry modifications associated with GlassWorm fake browser extension installation in non-standard paths.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa9e1a4e0e96d0e8b4567
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    registry:
        - add
detection:
    selection:
        TargetObject|contains:
            - 'Software\\Google\\Chrome\\Extensions'
            - 'Software\\Mozilla\\Firefox\\Extensions'
        Details|contains:
            - '\\AppData\\Local\\Temp'
            - '\\AppData\\Roaming\\'
    filter:
        Details|contains: 'chrome-extension://'
    condition: selection and not filter
falsepositives:
    - Legitimate developer sideloading of extensions
level: high
---
title: Rebex Telegram RAT CHM Infection Chain
id: 552g9b0b-2d3c-5g4e-9f0g-2b3c4d5e6f7a
description: Detects hh.exe (CHM viewer) spawning a Python interpreter, characteristic of the Rebex Telegram RAT campaign.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa9e1a4e0e96d0e8b4568
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
detection:
    selection_parent:
        ParentImage|endswith: '\\hh.exe'
    selection_child:
        Image|endswith:
            - '\\python.exe'
            - '\\python3.exe'
            - '\\pwsh.exe'
    condition: all of selection_*
falsepositives:
    - Legitimate documentation opening scripts
level: critical
---
title: EtherRAT CDN-like Beaconing to Suspicious Domains
id: 663h0c1c-3e4d-6h5f-0g1h-3c4d5e6f7a8b
description: Detects processes connecting to domains associated with EtherRAT C2 infrastructure.
status: experimental
date: 2026/04/30
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/662fa9e1a4e0e96d0e8b4569
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
detection:
    selection_domains:
        Initiated|equals: 'true'
        DestinationHostname|contains:
            - 'o-parana.com'
            - 'rpc.payload.de'
            - 'jariosos.com'
            - 'hayesmed.com'
            - 'regancontrols.com'
            - 'salinasrent.com'
            - 'justtalken.com'
            - 'mebeliotmasiv.com'
    condition: selection_domains
falsepositives:
    - Rare (domains are likely sinkholed or specific C2)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for EtherRAT Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any (
    "o-parana.com", "rpc.payload.de", "jariosos.com", "hayesmed.com", 
    "regancontrols.com", "salinasrent.com", "justtalken.com", "mebeliotmasiv.com"
)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemotePort
;
// Hunt for Rebex Telegram RAT File Artifacts
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256
;
// Hunt for GlassWorm CHM Spawning Python
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "hh.exe"
| where FileName in ("python.exe", "python3.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, CommandLine

PowerShell Hunt Script

PowerShell
# IOC Hunt for Rebex Telegram RAT and Persistence Mechanisms
Write-Host "[*] Starting IOC Hunt for Rebex RAT and GlassWorm..." -ForegroundColor Cyan

# 1. Check for File Hashes (Rebex Payloads)
$hashes = @(    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee")

$drives = @("C:")
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Yellow

foreach ($hash in $hashes) {
    $result = Get-ChildItem -Path $drives -Recurse -ErrorAction SilentlyContinue | 
        Get-FileHash -Algorithm SHA256 -ErrorAction SilentlyContinue | 
        Where-Object { $_.Hash -eq $hash }
    if ($result) {
        Write-Host "[!] MALICIOUS FILE FOUND: $($result.Path)" -ForegroundColor Red
    }
}

# 2. Check for Suspicious Scheduled Tasks (Persistence)
Write-Host "[+] Checking for suspicious scheduled tasks..." -ForegroundColor Yellow
$suspiciousTasks = Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*python*" -or 
    $_.Actions.Execute -like "*cmd*" -and 
    $_.TaskName -notmatch "Microsoft|Windows|Google|Adobe"
}

if ($suspiciousTasks) {
    Write-Host "[!] Potential suspicious tasks found:" -ForegroundColor Red
    $suspiciousTasks | Select-Object TaskName, State, LastRunTime | Format-Table
}

Write-Host "[*] Hunt Complete." -ForegroundColor Green


---

# Response Priorities

Immediate (0-12 hours)

  • Network Blocking: Block all domains listed in the EtherRAT pulse at the firewall and proxy level.
  • Isolation: Identify and isolate any endpoints that have generated alerts for the SHA256 hashes associated with the Telegram RAT.
  • Process Termination: Kill any instances of hh.exe spawning python.exe immediately.

Within 24 Hours

  • Credential Verification: For GlassWorm infections, force a password reset for all development and cryptocurrency wallet credentials on affected systems.
  • Browser Forensics: Scan developer workstations for unauthorized browser extensions (GlassWorm) and remove them.
  • Task Analysis: Review all non-Microsoft scheduled tasks for signs of the Shell hijacking persistence mechanism used by the Telegram RAT.

Within 1 Week

  • Software Restriction: Implement Application Control policies to block the execution of CHM files (.chm) from the internet or email attachments.
  • Supply Chain Audit: Audit code repositories and package managers for GlassWorm indicators or unauthorized dependency changes.
  • Blockchain Monitoring: Configure network monitoring to detect or block RPC calls to public Ethereum/Solana nodes from non-approved developer workstations.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptglasswormetherrattelegram-ratapt-north-koreablockchain-c2

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action