As the recent "lobster farming" craze sweeps across the internet, the RedDrip Team of QiAnXin Threat Intelligence Center has detected numerous counterfeit OpenClaw installation sites distributing malware via our private intelligence system. Among the common trojans observed, we identified an "outlier"—carrying Russian debug strings and delivering an unprecedented malicious software. Due to its debug strings, we have named it "Anti-bot".

随着最近“养龙虾”热潮席卷全网，奇安信威胁情报中心红雨滴团队私有情报系统监测到大量仿冒OpenClaw的安装站点正在借机投毒。在一众常见的木马中，我们发现一个“另类”——它携带着俄语调试字符串，投递的是一款前所未见的恶意软件。因其调试字符串，我们将其命名为 “Anti-bot”。

The RedDrip Team of QiAnXin Technology's Threat Intelligence Center, through its private intelligence production process, discovered that the Office Assistant software process, widely used in China, loads malicious components with legitimate signatures to deliver the Mltab browser plugin. This plugin collects user information and hijacks user traffic.Currently, Tianqing (QiAnXin's endpoint protection) can effectively detect and remove Mltab-related components.

奇安信威胁情报中心红雨滴团队私有情报生产流程发现国内软件 Office 助手进程加载带有正规签名的恶意组件投递 Mltab 浏览器插件，收集用户信息和劫持用户流量。目前天擎已能够有效查杀mltab相关组件。

On December 23, 2025, the renowned document editor EmEditor officially announced that between December 19th and 22nd, its official website installation packages were subjected to a supply chain attack, during which MSI installers were replaced with malicious ones bearing unofficial signatures. Qianxin Threat Intelligence Center's RedDrip Team captured the subsequent final payload—an information-stealing malware—through its private intelligence production process.

2025年12月23日，著名文档编辑器EmEditor官方发布公告，称12月19日至22日期间官网安装包被供应链攻击，MSI安装包被替换成带有非官方签名的恶意安装包。奇安信威胁情报中心红雨滴团队通过私有情报生产流程捕获后续最终载荷窃密特马。

QiAnXin Threat Intelligence Center disclosed the Operation Tornado cyber espionage activities of the Ocean Lotus group. Since 2022, this group has been continuously launching attacks against domestic IT innovation platforms and government networks. They use decoys such as Desktop, JAR, and epub files with Nday vulnerabilities, as well as internal network supply chain attacks to implant malicious code. They use weapons such as customized ELF Trojans, lightweight special malware, and IoT passive backdoors to steal government data and spy on national policies. Currently, Tianqing V10 IT innovation version can alert users to spear phishing decoys such as Desktop. It is recommended that users upgrade to version V10 and enable the protection function.

奇安信威胁情报中心披露海莲花组织的Operation Tornado网络间谍活动，该团伙自 2022 年起持续针对国产信创平台及政务网发起攻击，通过Desktop、JAR、带 Nday 漏洞的 epub 文件等诱饵及内网供应链攻击植入恶意代码，利用信创定制 ELF 木马、轻量化特马、IOT 被动后门等武器，以窃取政务数据、刺探国家政策为核心目的，目前天擎 V10 信创版已经能对 desktop 等类型的鱼叉诱饵进行告警，建议信创用户升级到 V10 版本并开启防护功能。

QiAnXin Threat Intelligence Center recently discovered a new Trojan, StreamSpy, associated with the MahaCao group. This Trojan communicates with remote servers using a combination of WebSocket and HTTP. The Trojan retrieves commands and sends back operation results via the WebSocket channel, while HTTP is used for operations such as file transfers. This Trojan also shares some similarities with MahaCao's Spyder. Furthermore, other related samples further confirm resource-sharing connections between the MahaCao and DuNaoChong attack groups.

奇安信威胁情报中心近期发现一种与摩诃草组织有关的新木马StreamSpy，该木马与远程服务器通信采用WebSocket和HTTP相结合的方式，木马获取指令与回传操作结果在WebSocket通道中进行，而用HTTP完成一些诸如文件传输之类的操作。该木马还与摩诃草的Spyder有一些相似性。此外，另外关联到的样本再次印证了摩诃草和肚脑虫两个攻击团伙在资源共享方面有一些联系。