Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

SetcodeRat

SetcodeRat is a remote access trojan (RAT) and secret-stealing malware reported by QiAnXin in attacks targeting Chinese-speaking users in China. It has been propagated via malvertising since at least October 2025 and is described as Telegram-based, with the ability to communicate either through Telegram or a conventional C2 server for tasking. The malware includes regional gating logic and only proceeds when the victim system language is set to Chinese locales including Zh-CN, Zh-HK, Zh-MO, or Zh-TW; it also terminates if it cannot connect to a Bilibili URL, indicating additional environment validation.

For execution, SetcodeRat uses DLL sideloading: it launches pnm2png.exe to load zlib1.dll, which decrypts qt.conf to run the RAT payload. Reported capabilities include taking screenshots, logging keystrokes, reading and setting folders, starting processes, executing cmd.exe, establishing socket connections, collecting system and network information, and updating itself. Reporting states that hundreds of computers, including government and enterprise systems, were infected within one month. High-confidence artifacts and identifiers mentioned in the source include pnm2png.exe, zlib1.dll, qt.conf, Telegram-based communications, and the Bilibili connectivity check.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
securityaffairsNews
Dec 14, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 75

SetcodeRat is a Telegram secret stealing trojan, customized for Chinese-speaking regions.

Read more
securityaffairsNews
Dec 14, 2025
Security Affairs newsletter Round 554 by Pierluigi Paganini – INTERNATIONAL EDITION

SetcodeRat is a Trojan targeting Chinese-speaking regions, designed to steal Telegram secrets and potentially other sensitive information.

Read more
the hacker newsNews
Dec 12, 2025
Fake OSINT and GPT Utility GitHub Repos Spread PyStoreRAT Malware Payloads

A RAT targeting Chinese-speaking regions, distributed via malvertising and disguised as legitimate installers. It verifies the victim's region and system language, uses DLL sideloading for execution, and supports data theft, screenshot capture, keylogging, and C2 communication via Telegram or conventional servers.

Read more
risky biz rssNews
Dec 2, 2025
India orders IM apps to link user accounts to a SIM card

Telegram-based remote access trojan used to target Chinese users.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.