Back to Intelligence

Rebex Telegram RAT, GachiLoader & TeamPCP Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
May 1, 2026
6 min read

Current OTX Pulse data highlights a diverse set of high-impact threats ranging from targeted espionage and financial theft to destructive supply chain attacks. The reporting period (late April to early May 2026) reveals three distinct campaigns:

  1. Rebex-based Telegram RAT: A targeted operation against Vietnamese entities using trojanized CHM files (fake CVs) to deploy a sophisticated multi-stage payload leveraging Python and C++ DLLs. The malware abuses the Telegram API for C2 communications.
  2. GachiLoader AI Skill Lure: A social engineering campaign abusing the "AI Agent" hype. Threat actors are distributing GachiLoader, which drops the Rhadamanthys infostealer, via fake OpenClaw skill packages on fraudulent GitHub infrastructure.
  3. TeamPCP Supply Chain Attack: A calculated assault on the trust of open-source security tools. The group TeamPCP compromised vulnerability scanners (Trivy, KICS) and the LiteLLM gateway to deliver the CanisterWorm wiper.

Collectively, these pulses indicate a trend toward abusing trusted utilities (security scanners, legitimate documentation formats, AI platforms) to bypass initial defenses.

Threat Actor / Malware Profile

1. Rebex Telegram RAT

  • Targeting: Vietnam (specifically via trojanized CV documents).
  • Distribution: CHM (Compiled HTML Help) files acting as droppers.
  • Payload Behavior: Multi-stage execution involving a Python loader and C++ DLLs. Uses layered XOR encryption for obfuscation.
  • C2 Communication: Abuses legitimate Telegram API for command and control, making network traffic detection difficult without deep packet inspection.
  • Persistence: Utilizes "Shell hijacking" and scheduled tasks.
  • Anti-Analysis: Employs shell hijacking and XOR encryption to evade static analysis.

2. GachiLoader / Rhadamanthys

  • Targeting: Global, users interested in AI tools/agents.
  • Distribution: Fake GitHub repositories hosting "OpenClaw" AI agent skills.
  • Payload Behavior: Pure social engineering; the "skill" itself is benign text, tricking users into manually downloading and executing malicious Windows binaries. Delivers Rhadamanthys infostealer.
  • C2 Communication: Blockchain-based C2 and standard HTTP/HTTPS.
  • Persistence: Fileless injection techniques.

3. TeamPCP / CanisterWorm

  • Actor: TeamPCP.
  • Targeting: Organizations utilizing Trivy, KICS, LiteLLM, or Telnyx Python SDK.
  • Distribution: Software Supply Chain compromise (malicious packages/updates).
  • Payload Behavior: CanisterWorm (Wiper malware).
  • Persistence: Supply chain injection ensures execution upon software update or use.
  • References: CVE-2025-55182.

IOC Analysis

The provided indicators consist primarily of file hashes (SHA256, MD5, SHA1), CVEs, and hostnames.

  • File Hashes: A large volume of SHA256 hashes are provided for the GachiLoader and TeamPCP campaigns. These represent the malicious binaries (loaders, worms, and wipers). SOC teams should block execution of these hashes immediately via EDR policies.
  • Hostnames: TeamPCP infrastructure includes trycloudflare.com and icp0.io subdomains. These should be added to blocklists and monitored for outbound connection attempts.
  • CVE: CVE-2025-55182 is referenced in the TeamPCP campaign. Vulnerability management teams must prioritize patching this specific flaw.
  • Operationalization:
    • SIEM: Ingest hashes and create correlation rules for DeviceProcessEvents where SHA256 matches the provided lists.
    • EDR: Isolate endpoints matching the file hashes.
    • Network: Firewall/SWG blocks for the listed hostnames.

Detection Engineering

Sigma Rules

YAML
title: Potential Rebex Telegram RAT Execution via CHM
id: 8f4e2a1b-3c4d-4e5f-8a9b-0c1d2e3f4a5b
description: Detects execution of CHM files spawning Python interpreters, indicative of the Rebex-based Telegram RAT campaign targeting Vietnam.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://dmpdump.github.io/posts/TelegramRat/
tags:
    - attack.execution
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith: '\python.exe'
    condition: selection
falsepositives:
    - Legitimate documentation compiled with CHM that runs Python scripts
level: high
---
title: TeamPCP Supply Chain Attack - Suspicious Child Processes
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects legitimate security tools (Trivy, KICS, LiteLLM) spawning unexpected child processes or wiper behavior associated with TeamPCP activity.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://unit42.paloaltonetworks.com/teampcp-supply-chain-attacks/
tags:
    - attack.supply_chain
    - attack.t1195.002
logsource:
    category: process_creation
    product: windows
detection:
    selection_parent:
        ParentImage|contains:
            - '\trivy'
            - '\kics'
            - '\litellm'
    selection_suspicious:
        Image|contains:
            - 'powershell'
            - 'cmd'
            - 'wscript'
            - 'rundll32'
    condition: all of selection_*
falsepositives:
    - Legitimate administrative scripting using these tools
level: critical
---
title: GachiLoader AI Skill Lure Execution
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
description: Detects execution of unsigned binaries or Node.js SEA payloads from user directories following patterns associated with GachiLoader distribution via fake AI skills.
status: experimental
date: 2026/05/01
author: Security Arsenal
references:
    - https://www.threatdown.com/blog/gachiloader-adopts-ai-skill-lure/
tags:
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - '\Downloads\'
            - '\AppData\Local\Temp'
        Image|endswith:
            - '.exe'
            - '.bat'
            - '.cmd'
        CommandLine|contains:
            - 'openclaw'
            - 'ai-skill'
    condition: selection
falsepositives:
    - Legitimate AI development tools
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for TeamPCP related hostnames and IOCs
let IOCHostnames = dynamic(["plug-tab-protective-relay.trycloudflare.com", "tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io"]);
let IOCHashes = dynamic(["ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829", "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a"]);
// Network Connections
DeviceNetworkEvents
| where RemoteUrl in (IOCHostnames)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP
| union (
    // Process Creation with Hashes
    DeviceProcessEvents
    | where SHA256 in (IOCHashes)
    | project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine, SHA256
)
| union (
    // Rebex RAT Logic: hh.exe spawning python.exe
    DeviceProcessEvents
    | where InitiatingProcessFileName =~ "hh.exe" and FileName =~ "python.exe"
    | project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine
)

PowerShell Hunt Script

PowerShell
<#
.SYNOPSIS
    IOC Hunter for Rebex RAT, GachiLoader, and TeamPCP Campaigns
.DESCRIPTION
    Scans the filesystem for specific SHA256 hashes associated with the May 2026 OTX Pulses.
#>

$TargetHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829",
    "18a24f83e807479438dcab7a1804c51a00dafc1d526698a66e0640d1e5dd671a",
    "0c0d206d5e68c0cf64d57ffa8bc5b1dad54f2dda52f24e96e02e237498cb9c3a"
)

Write-Host "Starting IOC Scan..." -ForegroundColor Cyan

Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue | 
    Where-Object { !$_.PSIsContainer } | 
    ForEach-Object {
        $file = $_
        $hash = (Get-FileHash -Path $file.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
        
        if ($TargetHashes -contains $hash) {
            Write-Host "[MATCH] Malicious file found: $($file.FullName)" -ForegroundColor Red
            Write-Host "       Hash: $hash" -ForegroundColor Red
        }
    }

Write-Host "Scan Complete." -ForegroundColor Cyan


# Response Priorities

*   **Immediate:**
    *   Block all file hashes listed in the IOC Analysis section on endpoints.
    *   Block network access to `trycloudflare.com` and `icp0.io` subdomains.
    *   Scan for CVE-2025-55182 exposure and apply patches or mitigations immediately.

*   **24 Hours:**
    *   Conduct credential auditing for systems where Rhadamanthys (via GachiLoader) or the Telegram RAT may have executed. Assume theft of browser-stored credentials.
    *   Review logs for `hh.exe` spawning `python.exe` (Rebex RAT indicator).

*   **1 Week:**
    *   **Software Supply Chain Audit:** Verify the integrity of all instances of Trivy, KICS, and LiteLLM. Re-deploy known-good versions.
    *   **Architecture Hardening:** Implement application allowlisting (AppLocker/WDAC) to prevent unsigned binaries from executing in user directories, specifically to stop GachiLoader-style social engineering.
    *   **Network Segmentation:** Restrict access to Telegram API from non-approved endpoints if not business-required.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaretelegram-ratgachiloaderteampcpsupply-chain-attackrhadamanthys

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action