A sophisticated malware campaign has been discovered exploiting Office Assistant, a widely used AI-powered productivity software in China, to distribute a malicious browser plugin that hijacks user traffic and exfiltrates sensitive information.
The RedDrip Team from QiAnXin Technology’s Threat Intelligence Center uncovered this operation, which has been active since at least May 2024 and has compromised nearly one million endpoints across China over an 18-month period.
The attack leverages Office Assistant’s legitimate infrastructure to load digitally-signed malicious components that deliver the Mltab browser plugin.
This plugin systematically collects user data including browsing patterns, visited websites, and usage behaviors while redirecting traffic to attacker-controlled domains.
The malicious extension has been installed over 210,000 times and remains available on the official Microsoft Edge Add-ons Store, demonstrating the campaign’s alarming reach and persistence.
Technical Analysis
Researchers identified the infection vector in Office Assistant version 3.1.10.1, released on May 28, 2024. The malicious downloader logic, embedded in OfficeAid.Main.exe, was absent from the previous version 3.1.9.9.
The component first performs anti-analysis checks, detecting virtual machines and debugging environments before contacting the command-and-control server at ofsd.fh67k.com.
The attack chain involves multiple stages of payload delivery. The initial dropper downloads OfficeTeamAddin.dll with a digital signature different from the official Office Assistant signature, which subsequently loads OfficeTeam.Installer.dll.
This component creates a persistence mechanism using the mutex 917D735D-DFE5-4809-97C2-2C067D9D5F1C and connects to ofsg.fh67k.com to retrieve the second-stage payload.
The final payload, logkit.dll, executes through the logkit_report export function to deploy the Mltab browser plugin.
It queries registry keys to identify installed browsers, collects device information in JSON format, encrypts it, and transmits it to the C2 server at of2sg.fh67k.com.
The malware targets multiple browsers including Microsoft Edge, Google Chrome, QQ Browser, Sogou Browser, Lenovo Browser, and 2345 Browser.
Malicious Capabilities
The Mltab plugin, marketed as “MadaoL Newtab,” hijacks the browser’s new tab page and implements extensive traffic redirection capabilities.
The background.js script generates unique user identifiers and continuously uploads browsing activity to api.g6ht.com. The plugin fetches rule configuration files from C2 servers to match and hijack targeted URLs.
Notably, the extension adds a deceptive right-click context menu item labeled “Search with Baidu” that actually redirects users to promotional hijack links.
The myload.js and new_tab_page.js components inject tracking scripts, load count.html from cjrx.cjtab.com for activity monitoring, and fetch replacement rules from d.giw36.com/down/MLNewtab.dat to systematically replace legitimate links with attacker-controlled redirect URLs.
All Command and Control servers associated with this campaign are listed within the top one million domains on OpenDNS, facilitating their evasion of basic blocklists.
However, QiAnXin’s Tianqing endpoint protection solution can effectively detect and remove Mltab-related components.
Organizations using QiAnXin’s threat intelligence products, including TIP, Tianyan, NGSOC, and Situation Awareness Platform, have access to detection capabilities for this threat.
Users of Office Assistant in China should immediately verify their installed version and check for unauthorized browser extensions, particularly those related to Mltab or MadaoL Newtab.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.