Ddos 
The RedDrip Team at QiAnXin Technology’s Threat Intelligence Center has uncovered a widespread malware campaign hiding inside a popular productivity tool. The “Office Assistant” software, widely used across China for AI-powered document creation and office tasks, has been caught loading malicious components to deliver a browser-hijacking plugin known as “Mltab.”
The incident, active since at least May 2024, has reportedly affected nearly one million terminals, turning a trusted helper into a digital spy.
The attack is particularly insidious because it abuses valid digital signatures to mask its activity. The investigation found that the Office Assistant software process “loads malicious components with legitimate signatures to deliver the Mltab browser plugin”.
Once installed, this plugin goes rogue. It “collects user information and hijacks user traffic,” effectively monitoring the victim’s online behavior and redirecting their searches for profit.
The malicious browser plugin alone has been installed over 210,000 times and, shockingly, “has not been removed from the official Microsoft Edge add-on store” as of the report’s release.
The campaign’s infrastructure is equally robust. The Command and Control (C2) servers orchestrating the attack—domains like fh67k.com, eybyyffs.com, and cjtab.com—are all ranked within the top 1 million domains on OpenDNS, suggesting a high volume of traffic and a sophisticated operation.
The analysis pinpointed the exact moment the software turned malicious. Version 3.1.10.1 of Office Assistant, released on May 28, 2024, introduced a new “downloader logic” absent in previous versions.
This hidden code requests a C2 domain (ofsd.fh67k.com) and drops a DLL file named OfficeTeamAddin.dll. While the file appears to be a legitimate part of the suite, its digital signature is telling. Unlike the official software signed by “Beijing Yundong Zhixiao,” the malicious DLLs bear signatures from entities like “Ample Digital Limited” and “Hangil IT Co., Ltd”—certificates that have since been revoked.
Once the Mltab plugin establishes itself, it monetizes the victim’s browsing. It fetches a configuration file from a remote server (MLNewtab.dat) and uses it to replace legitimate links on web pages with redirected, revenue-generating URLs.
“Based on the returned configuration file, the attacker adds their controlled domains to a whitelist,” the report explains. It targets major Chinese sites like Baidu, Hao123, and JD.com, replacing navigation links and icons with hijacked versions.
The malware even goes as far as hijacking the browser’s “New Tab” page and inserting a “Search with Baidu” context menu item that routes queries through their own tracking links.
To ensure it stays on the machine, the malware employs clever evasion tactics. It waits for specific triggers, like a software update, to generate a unique user ID and begin uploading behavior logs. It also modifies the browser’s “Secure Preferences” file to lock in its hijacked settings, making it difficult for users to reset their homepage or search engine .
QiAnXin’s endpoint protection software, Tianqing, has been updated to detect and remove these “Trojan.MPE.Mltab” components . Users of Office Assistant are urged to scan their systems immediately and check their browser extensions for the “MadaoL Newtab” or any unrecognized add-ons.
Related Posts:
- Google is strengthening Android security and encourages vendors to strongly encrypt devices
- Android Revolution: Gemini Replaces Assistant on All Devices
- Driver Signature Enforcement Cracked: OS Downgrade Attacks Possible on Windows
- Microsoft Announces Microsoft 365 for the U.S. Gov: Offering a Complete Office Solution
Donate