In mid-June 2026, the Red Raindrop Team at Qianxin Threat Intelligence Center detected, through its private intelligence AI production pipeline, a Ghost distributor delivering a highly modular special trojan written in Rust to specific targets. Based on its distinctive string characteristics, we named the trojan MODBEACON. Its victim targeting is highly customized, spanning sectors including technology, education, and state-owned enterprises.
2026 年 6 月中旬,奇安信威胁情报中心红雨滴团队的私有情报 AI 生产流程检测到一伙 ghost 分发商在特定目标下发一款由 Rust 编写、高度模块化的特种木马;基于其特殊字符串特征,我们将该木马命名为 MODBEACON。其受害目标呈现高度定制化,涉及科技、教育、国企等领域。
奇安信威胁情报中心红雨滴团队私有情报生产流程发现一家面向中文用户提供私密IM的软件官网上的安装包被替换。被替换的安装包除了正常流程外,还会释放如下组件,内存加载SNOWLIGHT下载者,最终运行魔改nps隧道。
The RedDrip Team of QAX Threat Intelligence Center discovered during a private intelligence production process that the installer package on the official website of a software providing private IM for Chinese users had been replaced. The replaced installer, in addition to its normal routine, also drops the following components, loads the SNOWLIGHT downloader in memory, and ultimately runs a modified nps tunnel.
Through the private intelligence production process of the RedDrip Team at QiAnXin Threat Intelligence Center, it was discovered that the official website installer of a domestic cloud phone and virtual mobile service provider was suspected of being replaced between February 2026 and the end of March 2026. The service has now returned to normal, and the incident resulted in a large number of government and enterprise endpoints being compromised.
奇安信威胁情报中心红雨滴团队私有情报生产流程发现国内一家提供云手机、虚拟手机的服务商官网安装包疑似于2026年2月-3月底期间被替换,目前已经恢复正常,该事件造成大量政企终端被控。
As the recent "lobster farming" craze sweeps across the internet, the RedDrip Team of QiAnXin Threat Intelligence Center has detected numerous counterfeit OpenClaw installation sites distributing malware via our private intelligence system. Among the common trojans observed, we identified an "outlier"—carrying Russian debug strings and delivering an unprecedented malicious software. Due to its debug strings, we have named it "Anti-bot".
随着最近“养龙虾”热潮席卷全网,奇安信威胁情报中心红雨滴团队私有情报系统监测到大量仿冒OpenClaw的安装站点正在借机投毒。在一众常见的木马中,我们发现一个“另类”——它携带着俄语调试字符串,投递的是一款前所未见的恶意软件。因其调试字符串,我们将其命名为 “Anti-bot”。
The RedDrip Team of QiAnXin Technology's Threat Intelligence Center, through its private intelligence production process, discovered that the Office Assistant software process, widely used in China, loads malicious components with legitimate signatures to deliver the Mltab browser plugin. This plugin collects user information and hijacks user traffic.Currently, Tianqing (QiAnXin's endpoint protection) can effectively detect and remove Mltab-related components.
奇安信威胁情报中心红雨滴团队私有情报生产流程发现国内软件 Office 助手进程加载带有正规签名的恶意组件投递 Mltab 浏览器插件,收集用户信息和劫持用户流量。目前天擎已能够有效查杀mltab相关组件。
关注我们
奇安信威胁情报中心
