ESET researchers have analyzed Spellbinder, a tool used by the China-aligned threat actor group TheWizards for lateral movement and adversary-in-the-middle (AitM) attacks.
The tool exploits IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing to intercept and redirect traffic on compromised networks, enabling the attackers to manipulate legitimate Chinese software updates. By hijacking the update process, TheWizards serve malicious updates that download and execute backdoors like WizardNet.
The threat actor's activities were first detected in 2022, when suspicious behavior was noticed in the popular Chinese input software Sogou Pinyin. A dropper DLL used by this software led to the discovery of a downloader that retrieved a shellcode payload from an attacker-controlled server. The shellcode facilitated the deployment of the WizardNet backdoor.
Spellbinder allows attackers to redirect software updates to their own malicious servers by exploiting a vulnerability in the IPv6 protocol. The attackers use tools like winpcap.exe and AVGApplicationFrameHost.exe to deliver payloads, which include WizardNet, a modular backdoor that connects to the attackers’ Command and Control (C&C) server. WizardNet can execute additional .NET modules and communicate securely with the server using encrypted messages.
The toolset TheWizards employs has been constantly active since 2022, with targeted victims including individuals and organizations in countries such as the Philippines, Cambodia, UAE, China, and Hong Kong. The threat actor has also demonstrated an ability to use infrastructure like Spellbinder and backdoors like WizardNet to target different platforms, including Android, through hijacked updates in apps like Tencent QQ.
While TheWizards shares similarities with another threat actor group, Earth Minotaur (associated with DarkNimbus malware), ESET tracks it independently due to the threat actor’s distinct targeting and specialized tools.
