Pulse Detail — Threat Intelligence

PULSE NAME

IOC - Rebex-based Telegram RAT Targeting Vietnam

WHITE celestre 2026-04-29 Modified: 2026-04-29

IOCs

LOW VOLUME

On April 1, 2026, a zip archive named CV - Vu PLPC So2156516.zip was uploaded to VirusTotal from Vietnam. This archive contains a Microsoft Compiled HTML (CHM) file named Word Document - CV - Vu PLPC KT nam 2026.chm. CHM files have historically been used by a plethora of threat actors. In my personal experience, I have seen CHM files trojanized primarily in state-sponsored/targeted activity rather than opportunistic cybercrime. That is only a personal observation, not substantiated by any serious data analysis.

vu plpc word document telegram rat

Indicators of Compromise (6)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	b3bf26bfbf7aec43379523bd18b1ec16	MD5 of a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21	2026-04-29
FileHash-SHA1	687cee4e972323e6991acfa59f608a7d1a6e170b	SHA1 of a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21	2026-04-29
FileHash-SHA256	1323278360d41a74ab09d310f08902087ff2798d1eda99be65d07c1b1123a25c	—	2026-04-29
FileHash-SHA256	67b51a73c72f39b9cf41dd35eb22b369713ab2e576641b40b9089ebc9d4a1fb2	—	2026-04-29
FileHash-SHA256	6db64b44305ff125f729713d7ff516e84e4ca38504a2ab0571eb19597f49feee	—	2026-04-29
FileHash-SHA256	a0d5b30578acd1df9139e7a8a4bfc659dc2cf48f4dc0c5804b70890adeb9fa21	—	2026-04-29

References (1)

↗ https://dmpdump.github.io/posts/TelegramRat/