A sophisticated CHM-based malware campaign has been identified targeting Vietnamese victims through a trojanized CV document. The infection chain utilizes a compiled HTML file that deploys a multi-stage payload delivery mechanism involving Python interpreters, C++ DLLs, and layered XOR encryption. The malware establishes persistence through Shell hijacking and scheduled tasks, ultimately delivering a weaponized version of Rebex.Common.dll functioning as a Telegram-based remote access trojan. The RAT communicates via Telegram bot API, supporting commands for file download, token swapping, and arbitrary command execution. The infection demonstrates characteristics typical of targeted state-sponsored activity rather than opportunistic cybercrime, employing techniques historically associated with advanced threat actors operating in the Southeast Asian region.