Back to Intelligence

Rebex Telegram RAT, GachiLoader & TeamPCP CanisterWorm: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 3, 2026
6 min read

OTX pulses indicate a surge in diverse attack vectors ranging from targeted espionage to broad supply chain compromises. Analysis of live data reveals three distinct campaigns:

  1. A Rebex-based Telegram RAT campaign specifically targeting Vietnamese entities via trojanized CV documents using CHM infection chains.
  2. GachiLoader distributors adopting "AI Agent Skill" lures (OpenClaw) to socially engineer victims into executing the Rhadamanthys infostealer.
  3. TeamPCP executing a supply chain attack compromising security tools (Trivy, KICS, LiteLLM) to deliver CanisterWorm via CVE-2025-55182.

Threat Actor / Malware Profile

Telegram RAT (Rebex-based)

  • Distribution: Trojanized CV documents delivered as CHM (Compiled HTML) files.
  • Payload Behavior: Multi-stage execution starting with Python interpreters, deploying C++ DLLs. Uses layered XOR encryption.
  • Persistence & C2: Establishes persistence via Shell hijacking and scheduled tasks. Utilizes the Telegram API for C2 communications, blending in with legitimate traffic.
  • Anti-Analysis: Employs XOR encryption on payloads and shell hijacking to evade standard process monitoring.

GachiLoader / Rhadamanthys

  • Distribution: Fake GitHub infrastructure hosting malicious AI agent skills (specifically OpenClaw). Pure social engineering; the skill files themselves are often benign text/metadata enticing users to download a "required" Windows binary.
  • Payload Behavior: Uses Node.js SEA (Single Executable Application) or Electron droppers. Delivers Rhadamanthys, an infostealer capable of targeting browser data, crypto wallets, and 2FA sessions.
  • C2 Communication: Utilizes blockchain-based infrastructure to obfuscate C2 traffic.

TeamPCP / CanisterWorm

  • Distribution: Supply chain compromise of popular open-source security tools (Trivy, KICS) and AI gateways (LiteLLM). Exploits CVE-2025-55182.
  • Payload Behavior: Deploys CanisterWorm, a wiper malware designed to destroy data and infrastructure.
  • Targeting: Specifically aimed at organizations relying on automated security scanning and AI integration pipelines.

IOC Analysis

The indicators provided cover file hashes, CVE identifiers, and hostnames.

  • File Hashes: A mix of MD5, SHA1, and SHA256 hashes corresponding to CHM droppers, Python loaders, Node.js SEA binaries, and compromised tooling executables. These should be blocked at the endpoint (EDR) and perimeter (Email/Web Gateways).
  • CVE (CVE-2025-55182): Critical for vulnerability management teams to prioritize patching in environments using Trivy, KICS, or LiteLLM.
  • Hostnames: Includes *.trycloudflare.com and *.raw.icp0.io endpoints. These suggest the use of Cloudflare Tunnels and Dfinity's Internet Computer infrastructure to obfuscate C2 servers, making IP-based blocking ineffective. SOC teams must prioritize DNS-based blocking and SSL inspection.

Detection Engineering

YAML
---
title: Suspicious CHM File Execution with Python Loader
id: 4a8b9c2d-1e3f-4a5b-8c6d-7e8f9a0b1c2d
description: Detects execution of Compiled HTML Help files (.chm) spawning Python processes, indicative of the Rebex-based Telegram RAT campaign targeting Vietnam.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6649f8c0d9b7e5d1c8a2e8f0
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith: '\python.exe'
    condition: selection
falsepositives:
    - Legitimate documentation use cases (rare)
level: high
---
title: GachiLoader AI Skill Lure Execution
id: 5b9c0d3e-2f4a-5b6c-9d7e-0f1a2b3c4d5e
description: Detects execution of unsigned binaries from directories related to AI skills or OpenClaw, characteristic of the GachiLoader social engineering campaign.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6650a1d1e0c8f6d2a9b3f9c1
tags:
    - attack.initial_access
    - attack.t1204
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith:
            - '.exe'
            - '.bat'
            - '.cmd'
    selection_path:
        CommandLine|contains:
            - 'OpenClaw'
            - 'AI-Skills'
            - 'agent-skill'
    filter_signed:
        Signed: 'true'
    condition: selection_img and selection_path and not filter_signed
falsepositives:
    - Legitimate development of AI tools
level: medium
---
title: TeamPCP Supply Chain C2 Connection
id: 6c0d1e4f-3a5b-6c7d-0e1f-2b3c4d5e6f7a
description: Detects network connections to known TeamPCP/CanisterWorm C2 infrastructure associated with the supply chain attack on Trivy and LiteLLM.
status: experimental
date: 2026/05/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/6651b2e2f1d9g7e3b0c4a0d2
tags:
    - attack.command_and_control
    - attack.c2
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        Initiated: 'true'
        DestinationHostname|contains:
            - 'trycloudflare.com'
            - 'raw.icp0.io'
    filter_legit_cloudflare:
        DestinationHostname|endswith: 'customers.trycloudflare.com' # Often legit user traffic
    condition: selection and not filter_legit_cloudflare
falsepositives:
    - Legitimate use of Cloudflare tunnels by developers
level: critical


kql
// Hunt for Telegram RAT and GachiLoader Indicators
// Look for suspicious process chains
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessVersionInfoProductName contains "Python" and InitiatingProcessFileName == "hh.exe") or
       (InitiatingProcessFileName has "node.exe" and FileName has ".exe") or
       (FolderPath contains "OpenClaw")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, SHA256
// Join with Network events for C2 activity
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteUrl contains "trycloudflare.com" or RemoteUrl contains "icp0.io"
    | project Timestamp, DeviceName, RemoteUrl, RemoteIP
) on DeviceName, Timestamp


powershell
# IOC Hunt Script: Telegram RAT, GachiLoader, TeamPCP
# Checks for file presence, scheduled tasks, and registry persistence

Write-Host "[*] Starting hunt for 2026-05-03 OTX Pulse Indicators..."

# 1. Check for specific File Hashes (Sample set)
$targetHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829",
    "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a"
)

Write-Host "[+] Scanning C: drive for malicious file hashes..."
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { $_.Length -gt 0kb } | 
    ForEach-Object {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        if ($targetHashes -contains $hash) {
            Write-Host "!!! MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
        }
    }

# 2. Check for Suspicious Scheduled Tasks (Persistence)
Write-Host "[+] Checking Scheduled Tasks for persistence mechanisms..."
Get-ScheduledTask | Where-Object { 
    $_.Actions.Execute -like "*python*" -or 
    $_.Actions.Execute -like "*cmd*" -and $_.TaskName -notmatch "Microsoft|Windows" 
} | Select-Object TaskName, TaskPath, Actions | Format-List

# 3. Check Registry for Shell Hijacking / OpenClaw keys
$paths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Environment"  # Often used for persistence
)

Write-Host "[+] Scanning Registry for persistence..."
foreach ($path in $paths) {
    if (Test-Path $path) {
        Get-ItemProperty -Path $path -ErrorAction SilentlyContinue | 
            Where-Object { $_.PSObject.Properties.Name -notmatch "PSPath|PSParentPath|PSChildName" } |
            ForEach-Object {
                $value = $_.($_.PSObject.Properties.Name -match "^(?!PS)")[0]
                if ($value -match "python|OpenClaw|telegram|node") {
                    Write-Host "Suspicious Registry Value in $path :" $_.PSObject.Properties.Name -ForegroundColor Yellow
                }
            }
    }
}

Write-Host "[*] Hunt complete."

Response Priorities

Immediate

  • Block IOCs: Immediately block the listed file hashes and hostnames (*.trycloudflare.com, *.raw.icp0.io) at the proxy and firewall level.
  • Hunt Execution Artifacts: Scan endpoints for the presence of hh.exe spawning python.exe or unsigned binaries in paths referencing "AI Skills".
  • Patch CVE-2025-55182: Identify and patch vulnerable instances of Trivy, KICS, and LiteLLM immediately.

24 Hours

  • Credential Audit: If GachiLoader/Rhadamanthys is suspected, enforce password resets and session revocation for users who may have interacted with the AI skill lures.
  • Supply Chain Verification: Validate the integrity of downloaded packages for Trivy, KICS, and LiteLLM in your internal repositories.

1 Week

  • Architecture Hardening: Implement strict Allowlisting for Python interpreters and CHM file execution. Enforce code signing policies for internal tools.
  • User Awareness: Update security awareness training to include "AI Agent Skill" phishing and the dangers of CHM files in emails.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaretelegram-ratgachiloaderteampcpcanisterwormsupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action