Back to Intelligence

Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis

SA
Security Arsenal Team
May 3, 2026
5 min read

Recent OTX pulses indicate a surge in sophisticated, multi-vector threats targeting enterprise infrastructure and end-users. We are tracking three distinct active campaigns: a targeted attack in Vietnam utilizing a Rebex-based Telegram RAT delivered via CHM files; a broad campaign leveraging AI-themed lures (OpenClaw) to distribute GachiLoader and the Rhadamanthys infostealer; and a critical supply chain attack by TeamPCP compromising security tools (Trivy, KICS, LiteLLM) to deliver the CanisterWorm wiper. The actors exhibit high operational security, using fileless injection, multi-stage encryption, and legitimate infrastructure hijacking.

Threat Actor / Malware Profile

1. Rebex Telegram RAT (Unknown Actor)

  • Distribution: Trojanized CV documents delivered as Compiled HTML (CHM) files.
  • Payload Behavior: Multi-stage payload involving Python interpreters, C++ DLLs, and layered XOR encryption.
  • Persistence: Shell hijacking and Scheduled Tasks.
  • C2 Communication: Utilizes the Telegram API via the Rebex library, blending in with legitimate traffic.

2. GachiLoader / Rhadamanthys (Unknown Actor)

  • Distribution: Social engineering via fake "OpenClaw" AI agent skills hosted on GitHub.
  • Payload Behavior: Uses Node.js SEA (Single Executable Application) and Electron droppers. Performs fileless injection to load the Rhadamanthys infostealer.
  • C2 Communication: Blockchain-based infrastructure.

3. TeamPCP / CanisterWorm

  • Distribution: Supply chain compromise of open-source tools: Trivy, KICS, LiteLLM, and Telnyx Python SDK.
  • Vulnerability: Exploits CVE-2025-55182.
  • Payload Behavior: CanisterWorm (Wiper malware) designed to destroy data.
  • C2 Communication: Cloudflare Tunnels (trycloudflare.com) and ICP0.io hostnames.

IOC Analysis

The current intelligence dump provides actionable indicators across multiple categories:

  • File Hashes: A significant volume of SHA256, MD5, and SHA1 hashes for droppers, loaders, and final payloads (Rhadamanthys, CanisterWorm).
  • CVE: CVE-2025-55182 (associated with the TeamPCP supply chain attack).
  • Network Indicators: Hostnames associated with TeamPCP C2 infrastructure using Cloudflare tunnels.

SOC Operationalization:

  • Ingest all file hashes into EDR correlation engines for immediate blocking.
  • Block identified C2 hostnames at the perimeter and via DNS sinks.
  • Prioritize patching CVE-2025-55182 and verifying the integrity of Trivy/KICS/LiteLLM binaries.

Detection Engineering

YAML
---
title: Suspicious CHM File Spawning Python or Shell
id: 5c5b5c5b-5c5b-5c5b-5c5b-5c5b5c5b5c5b
description: Detects a CHM file (hh.exe) spawning Python or command-line processes, indicative of the Rebex Telegram RAT campaign targeting Vietnam.
author: Security Arsenal
date: 2026/05/04
references:
    - https://dmpdump.github.io/posts/TelegramRat/
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith:
            - '\python.exe'
            - '\python3.exe'
            - '\cmd.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate documentation usage
level: high
---
title: TeamPCP Supply Chain Suspicious Tool Activity
id: 1a1a1a1a-1a1a-1a1a-1a1a-1a1a1a1a1a1a
description: Detects suspicious network connections initiated by compromised security tools (Trivy, KICS, LiteLLM) associated with TeamPCP activity.
author: Security Arsenal
date: 2026/05/04
references:
    - https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Image|endswith:
            - '\trivy.exe'
            - '\kics'
            - '\litellm'
        Initiated: 'true'
        DestinationPort|notin:
            - '443'
            - '80'
    filter_legit:
        DestinationHostname|contains:
            - 'github.com'
            - 'docker.io'
            - 'quay.io'
    condition: selection and not filter_legit
falsepositives:
    - Legitimate updates or scans to non-standard ports
level: critical
---
title: GachiLoader Activity via Node.js or Electron
id: 2b2b2b2b-2b2b-2b2b-2b2b-2b2b2b2b2b2b
description: Detects potential GachiLoader dropper activity where Node.js or Electron processes launch suspicious binaries or loaders, associated with AI skill lures.
author: Security Arsenal
date: 2026/05/04
references:
    - https://www.threatdown.com/blog/gachiloader-adopts-ai-skill-lure-from-fake-openclaw-readme-to-rhadamanthys-infostealer/
tags:
    - attack.defense_evasion
    - attack.t1055.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|contains:
            - 'node.exe'
            - 'electron.exe'
        Image|endswith:
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\powershell.exe'
    condition: selection
falsepositives:
    - Legitimate Node.js applications spawning system processes
level: high


kql
// Hunt for TeamPCP Compromised Security Tools
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("trivy.exe", "kics", "litellm")
| where RemotePort !in (80, 443) // Exclude standard web traffic for anomaly detection
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteURL, RemoteIP, RemotePort

// Hunt for Rebex Telegram RAT Process Chain
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName =~ "hh.exe"
| where FileName in~ ("python.exe", "python3.exe", "powershell.exe", "cmd.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath

// Hunt for GachiLoader File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in (
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829",
    "1753d2f90bd4ac6c0c91e76322ae1d0cc8034842a61dc175c7aba3e1aa944c90",
    "1831db8fe19efbd12997f63bc76da79858f87995b9ebd8a05757670e5e52c1f2"
)
| project Timestamp, DeviceName, FileName, FolderPath, SHA256


powershell
# IOC Hunt Script for TeamPCP and Rebex Telegram RAT
# Requires Administrative Privileges

$TargetHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", # Rebex Telegram RAT
    "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a", # TeamPCP CanisterWorm
    "0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a",
    "5e2ba7c4c53fa6e0cef58011acdd50682cf83fb7b989712d2fcf1b5173bad956",
    "61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba",
    "7df6cef7ab9aae2ea08f2f872f6456b5d51d896ddda907a238cd6668ccdc4bb7"
)

Write-Host "Scanning for known malicious file hashes..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning drive $Drive..."
    try {
        Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | Where-Object {
            !$_.PSIsContainer -and $_.Length -gt 0
        } | ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($TargetHashes -contains $Hash) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        }
    } catch {
        Write-Host "Error scanning $Drive $_" -ForegroundColor Yellow
    }
}

# Check for TeamPCP C2 Domains in DNS Cache
$C2Domains = @("plug-tab-protective-relay.trycloudflare.com", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io")
Write-Host "Checking DNS Cache for TeamPCP C2 Domains..."
Get-DnsClientCache | Where-Object { $C2Domains -contains $_.Name } | Select-Object Name, Data, TimeToLive

Response Priorities

  • Immediate: Block all listed IOCs (File Hashes, C2 Domains). Initiate hunts for hh.exe spawning python.exe and for network connections from trivy/kics/litellm to non-whitelisted endpoints.
  • 24h: If Rhadamanthys (GachiLoader payload) infection is suspected, perform identity verification and reset credentials for affected users due to credential-stealing capabilities.
  • 1 Week: Conduct a full audit of the software supply chain. Update all instances of Trivy, KICS, LiteLLM, and Telnyx SDK to patched versions. Review policies regarding CHM file execution and installation of "AI agent" skills from untrusted sources.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarerebex-telegram-ratgachiloaderteampcpcanisterwormsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action