Background
Recently, the QiAnXin Threat Intelligence Center's Red Raindrop team has discovered a previously undisclosed special Trojan, named "SetcodeRat", that is being massively spread in the Chinese region during the operation of the private intelligence production process. The Trojan has a built-in customization for Telegram, and the attacker has successfully attracted our attention by spreading the Trojan against TGs in TG-blocked areas.
According to our observations, the earliest activity of SetcodeRat can be traced back to October 2025. It is mainly suspected to be spread through SEO means, and we have not found any other delivery methods. The malicious installation package will first verify the region of the victim. If it is not in the Chinese-speaking area, it will automatically exit. In just one month, the Trojan has infected hundreds of computers, affecting some government and enterprise units.
QiAnXin Tianqing's "Liuhe" engine can now block this trojan by default. We recommend government and enterprise clients deploy the "Liuhe" engine to defend against unknown threats.
Sample Analysis
The sample is disguised as a normal software installation package.
After the victim downloads and runs it, the malicious sample will first screen domestic users according to the language settings, and continue to execute when the settings are in Chinese, involving mainland China, Hong Kong, Macao and Taiwan.
| - | - |
|---|---|
| Zh-CN | Mainland China |
| Zh-TW | Taiwan, China |
| Zh-HK | Hong Kong, China |
| Zh-MO | Macao, China |
Secondly, it will access the bilibili related api and terminate the execution if the access is unsuccessful.
After passing the verification, it will release the white plus black component named pnm2png.exe.
Among them, zlib1.dll is the malicious loader and qt.conf is the encrypted payload.
When released, it first generates a .TMP configuration file based on the device uuid and writes it to the C:\ProgramData folder.
The pnm2png.exe component is released to a randomly named folder under C:\ProgramData, and when it is released, it is executed by the cmd with a random parameter, after which it performs its fake normal program installation process.
The pnm2png.exe run loads zlib1.dll, which when loaded modifies the pnm2png.exe entry point to the gsgweTyv function.
The main function of gsgweTyv is to decrypt qt.conf and load it.
qt.conf is essentially a zip file with a decryption code of RPNmUcoToJo5eR7AyHaQ.
The decrypted payload is a dll file with its own loader. After gsgweTyv finishes loading, it jumps to the payload and finally loads the payload, client.dll, and executes the export function CodeRun.
CodeRun first checks if the current module is Telegram.exe, if so, it executes Telegram plugin mode.
Telegram plugin function
The hook is first prepared for initialization.
The hook removes proxy hint related functions.
Set up a message hook with callbacks to receive, send and read/write data for stealing virtual currency.
This is done by fetching USDT related messages from telegram and replacing them with wallet addresses.
Match the Tron USDT wallet address in the message using a regular pattern.
After that, it connects to C2 (see Remote Control Functions for details on how to get C2) and receives the sent packets.
Depending on the commands, the functions to be executed include getting user information, setting configuration, message operation and setting agent.
Among them, the subcommands corresponding to message operation are as follows:
- Delete specified message:
- Set all messages:
- Delete all messages:
- Set the specified message:
The logic of the setup proxy function is as follows, with three subcommands:
1.Get the proxy information from C2 provided by the attacker. 2.Set Proxy 3.Remove proxy
Remote Control Function
If the current module is not Telegram.exe, the normal remote control mode is executed, first reading the .tmp files previously generated based on the device uuid.
The content of each .tmp file is the encryption configuration hardcoded in the SEO Poisoning Trojan, which is different for each different SEO Poisoning Trojan.
Decrypt the encrypted configuration heterodyne 0x21 and get C2 after decryption.
Connect to C2 and perform remote control functions.
The remote control functions are as follows: screenshot, keystroke logging, reading folders, setting folders, starting processes, running cmd commands, setting socket connections, getting browser logs, getting network connection information, updating the Trojan horse, and getting system information.
Summary
Currently, all Qi'anxin products powered by threat intelligence from Qi'anxin Threat Intelligence Center—including Qi'anxin Threat Intelligence Platform (TIP), Tianqing Endpoint Security, Tianyan Advanced Threat Detection System, Qi'anxin NGSOC, and Qi'anxin Situational Awareness—support accurate detection of such attacks.
IOC
Md5
773aae5bd834b3de00f97f2f47204eb6
2273578c084a5730c80e37be276ece90
C2
118.107.45.42:443
xionger.cc
ssllndac.com
ndcwsww.com
38.45.122.162:443
xiongdaylf.com