奇安信威胁情报中心红雨滴团队私有情报生产流程发现一家面向中文用户提供私密IM的软件官网上的安装包被替换。被替换的安装包除了正常流程外，还会释放如下组件，内存加载SNOWLIGHT下载者，最终运行魔改nps隧道。

The RedDrip Team of QAX Threat Intelligence Center discovered during a private intelligence production process that the installer package on the official website of a software providing private IM for Chinese users had been replaced. The replaced installer, in addition to its normal routine, also drops the following components, loads the SNOWLIGHT downloader in memory, and ultimately runs a modified nps tunnel.

Through the private intelligence production process of the RedDrip Team at QiAnXin Threat Intelligence Center, it was discovered that the official website installer of a domestic cloud phone and virtual mobile service provider was suspected of being replaced between February 2026 and the end of March 2026. The service has now returned to normal, and the incident resulted in a large number of government and enterprise endpoints being compromised.

奇安信威胁情报中心红雨滴团队私有情报生产流程发现国内一家提供云手机、虚拟手机的服务商官网安装包疑似于2026年2月-3月底期间被替换，目前已经恢复正常，该事件造成大量政企终端被控。

As the recent "lobster farming" craze sweeps across the internet, the RedDrip Team of QiAnXin Threat Intelligence Center has detected numerous counterfeit OpenClaw installation sites distributing malware via our private intelligence system. Among the common trojans observed, we identified an "outlier"—carrying Russian debug strings and delivering an unprecedented malicious software. Due to its debug strings, we have named it "Anti-bot".

随着最近“养龙虾”热潮席卷全网，奇安信威胁情报中心红雨滴团队私有情报系统监测到大量仿冒OpenClaw的安装站点正在借机投毒。在一众常见的木马中，我们发现一个“另类”——它携带着俄语调试字符串，投递的是一款前所未见的恶意软件。因其调试字符串，我们将其命名为 “Anti-bot”。

The RedDrip Team of QiAnXin Technology's Threat Intelligence Center, through its private intelligence production process, discovered that the Office Assistant software process, widely used in China, loads malicious components with legitimate signatures to deliver the Mltab browser plugin. This plugin collects user information and hijacks user traffic.Currently, Tianqing (QiAnXin's endpoint protection) can effectively detect and remove Mltab-related components.

奇安信威胁情报中心红雨滴团队私有情报生产流程发现国内软件 Office 助手进程加载带有正规签名的恶意组件投递 Mltab 浏览器插件，收集用户信息和劫持用户流量。目前天擎已能够有效查杀mltab相关组件。

On December 23, 2025, the renowned document editor EmEditor officially announced that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack, during which MSI installers were replaced with malicious ones bearing unofficial signatures. Qianxin Threat Intelligence Center's RedDrip Team captured the subsequent final payload—an information-stealing malware—through its private intelligence production process.

2025年12月23日，著名文档编辑器EmEditor官方发布公告，称12月19日至22日期间官网安装包被供应链攻击，MSI安装包被替换成带有非官方签名的恶意安装包。奇安信威胁情报中心红雨滴团队通过私有情报生产流程捕获后续最终载荷窃密特马。