Back to Intelligence

Telegram RAT, Rhadamanthys & ValleyRAT: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
April 30, 2026
6 min read

Threat Summary

Recent OTX pulses indicate a surge in diverse, sophisticated malware campaigns utilizing distinct delivery mechanisms. An unidentified threat actor is targeting Vietnamese entities with a novel Rebex-based Telegram RAT delivered via trojanized CHM files, employing Python loaders and shell hijacking for persistence. Concurrently, threat actors are exploiting the AI hype cycle, using fake "OpenClaw" agent skills to distribute GachiLoader, which drops the Rhadamanthys infostealer via Node.js SEA packaging. Separately, the Silver Fox (Void Arachne) group is aggressively targeting Japanese manufacturing firms during tax season with ValleyRAT, delivered through spearphishing campaigns focused on financial and HR compliance.

Threat Actor / Malware Profile

1. Rebex-based Telegram RAT (Targeting Vietnam)

  • Distribution: Trojanized CV documents packaged as Compiled HTML (.CHM) files.
  • Payload Behavior: Multi-stage payload involving a Python interpreter and C++ DLLs. Uses the legitimate Rebex library for network operations.
  • C2 Communication: Communicates via the Telegram API, leveraging the platform's infrastructure to blend in with legitimate traffic.
  • Persistence: Utilizes "Shell hijacking" (modifying User Shell Folders registry keys) and Scheduled Tasks to maintain access.
  • Anti-Analysis: Employs layered XOR encryption to obfuscate payloads and evade static detection.

2. GachiLoader & Rhadamanthys (AI Lure Campaign)

  • Distribution: Social engineering via fake GitHub repositories hosting "OpenClaw" AI agent skills. Users are tricked into downloading malicious Windows binaries.
  • Payload Behavior: GachiLoader serves as a dropper, executing Rhadamanthys infostealer. Uses Node.js SEA (Single Executable Application) and Electron droppers to hide malicious code within seemingly legitimate application frameworks.
  • C2 Communication: Uses Blockchain C2 infrastructure, a sophisticated technique leveraging decentralized networks for command and control.
  • Persistence: Fileless injection techniques to minimize disk artifacts.

3. Silver Fox / Void Arachne (ValleyRAT)

  • Distribution: Spearphishing emails with tax season, HR, and salary adjustment lures targeting Japanese firms.
  • Payload Behavior: ValleyRAT provides full Remote Access Trojan capabilities, including screen capture, remote shell, and file management.
  • C2 Communication: Standard HTTP/HTTPS C2 channels, likely using domain generation algorithms (DGAs) or fast-flux hosting noted in previous campaigns.
  • Persistence: Registry run keys and service creation.

IOC Analysis

The provided IOCs consist primarily of file hashes (MD5, SHA1, SHA256) associated with the droppers, loaders, and payload binaries.

  • Operationalization: SOC teams should ingest these hashes into EDR solutions for immediate blocking/quarantine. Correlate ProcessCreation events against these hashes.
  • Tooling: Use tools like VirusTotal for deep analysis, or sigcheck and powershell (Get-FileHash) for local scanning.
  • Key Indicators: The Telegram RAT campaign produces specific Python interpreter and DLL hashes. The GachiLoader campaign focuses on Node.js/Electron binaries.

Detection Engineering

Sigma Rules

YAML
title: Suspicious CHM Execution Spawning Python - Telegram RAT
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects a compiled HTML Help file (CHM) spawning a Python interpreter, indicative of the Rebex Telegram RAT campaign targeting Vietnam.
author: Security Arsenal
date: 2026/04/30
references:
    - https://dmpdump.github.io/posts/TelegramRat/
tags:
    - attack.execution
    - attack.t1059.001
    - attack.initial_access
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\hh.exe'
        Image|endswith: '\python.exe'
    condition: selection
falsepositives:
    - Legitimate documentation usage (rare)
level: high
---
title: Node.js SEA Spawning Shell - GachiLoader/Rhadamanthys
id: 1b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects Node.js single executable applications spawning cmd or powershell, a technique used by GachiLoader to drop Rhadamanthys.
author: Security Arsenal
date: 2026/04/30
references:
    - https://www.threatdown.com/blog/gachiloader-adopts-ai-skill-lure/
tags:
    - attack.execution
    - attack.t1059.003
    - attack.defense_evasion
    - attack.t1027
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\node.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
    filter:
        # Filter out common dev tools spawning shells
        ParentCommandLine|contains:
            - 'npm'
            - 'yarn'
            - 'vscode'
    condition: selection and not filter
level: high
---
title: Silver Fox ValleyRAT Scheduled Task Persistence
id: 2c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f
status: experimental
description: Detects creation of scheduled tasks with suspicious arguments or rundll32 execution, associated with Silver Fox ValleyRAT campaigns.
author: Security Arsenal
date: 2026/04/30
references:
    - https://www.welivesecurity.com/en/business-security/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season/
tags:
    - attack.persistence
    - attack.t1053.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\schtasks.exe'
            - '\taskschd.exe'
        CommandLine|contains:
            - 'rundll32'
            - 'regsvr32'
            - '/create'
            - '/sc once' # Silver Fox often uses one-time triggers
    condition: selection
falsepositives:
    - Administrative software installation
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for IOCs across Process and File Events
let IOCs = dynamic([
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5", "4e9e70c2a8002ce4a70ab43ae80c2a25", // Telegram RAT
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829", "1f24e75c1e6d6777e970f64ebf18e8bf1dd1dcaab692adf4062c8fad6a6df42c", // GachiLoader
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db", "1af5b25acd2df31f44a54fc8dcd85287"  // Silver Fox/ValleyRAT
]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where SHA256 in IOCs or MD5 in IOCs or SHA1 in IOCs
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath, SHA256, InitiatingProcessFileName
| union (
    DeviceFileEvents
    | where Timestamp > ago(7d)
    | where SHA256 in IOCs or MD5 in IOCs or SHA1 in IOCs
    | project Timestamp, DeviceName, AccountName, FileName, FolderPath, SHA256, ActionType
)

PowerShell Hunt Script

PowerShell
# IOC Hunt for Telegram RAT, GachiLoader and Silver Fox Payloads
# Checks for presence of specific file hashes and suspicious Scheduled Tasks.

$TargetHashes = @(
    "ced7fe9c5ec508216e6dd9a59d2d5193a58bdbac5f41a38ea97dd5c7fceef7a5",
    "1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c",
    "67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2",
    "076ba40e7fbf2910dff87f0c25862a70001d8ad81d23d8beae9fb9b29b603829",
    "1753d2f90bd4ac6c0c91e76322ae1d0cc8034842a61dc175c7aba3e1aa944c90",
    "244a2f4dc256f6d1c3710a2d27656a6bc21ffadca8f3236d63b327ff2f0b33db",
    "8c4386cecc89f5f2dee323f2a1e0d9f42a28905be812de14173ca7ee9fc64e72"
)

Write-Host "[+] Scanning for known malicious file hashes (This may take time)..." -ForegroundColor Cyan

# Scan C: drive (adjust as needed)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue -Include *.exe, *.dll, *.chm, *.py, *.bin, *.sea | Where-Object { 
    $_.Length -gt 0kb -and $_.Length -lt 50mb 
} | ForEach-Object {
    try {
        $hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction Stop).Hash
        if ($TargetHashes -contains $hash) {
            Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | SHA256: $hash" -ForegroundColor Red
        }
    } catch {
        # Ignore access errors
    }
}

Write-Host "[+] Checking for Shell Hijacking persistence (User Shell Folders)..." -ForegroundColor Cyan
$ShellFoldersPath = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
if (Test-Path $ShellFoldersPath) {
    Get-Item $ShellFoldersPath | ForEach-Object {
        $_.GetValueNames() | ForEach-Object {
            $value = $_.GetValue($_)
            if ($value -match ".cmd|.bat|.exe|.ps1") {
                Write-Host "[!] Suspicious Shell Folder Entry: Name='$_', Value='$value'" -ForegroundColor Yellow
            }
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed file hashes at the endpoint. Hunt specifically for processes spawned by hh.exe (CHM files) and node.exe spawning shells. Isolate endpoints where Telegram API connections originate from non-standard clients.
  • 24h: Conduct identity verification and credential resets for users in regions targeted (Vietnam, Japan) or with interests in AI/Blockchain, as Rhadamanthys and ValleyRAT are credential stealers.
  • 1 week: Harden email gateways against CHM attachments and AI-themed social engineering lures. Review policies regarding the execution of Node.js and Python interpreters from user directories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaretelegram-ratvalleyratrhadamanthysgachiloaderapt

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action