A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks.
“Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers,” ESET researcher Facundo Muñoz said in a report shared with The Hacker News.
The attack paves the way for a malicious downloader that’s delivered by hijacking the software update mechanism associated with Sogou Pinyin. The downloader then acts as a conduit to drop a modular backdoor codenamed WizardNet.
This is not the first time Chinese threat actors have abused Sogou Pinyin’s software update process to deliver their own malware. In January 2024, ESET detailed a hacking group referred to as Blackwood that has deployed an implant named NSPX30 by taking advantage of the update mechanism of the Chinese input method software application.
Then earlier this year, the Slovak cybersecurity company revealed another threat cluster known as PlushDaemon that leveraged the same technique to distribute a custom downloader called LittleDaemon.
TheWizards APT is known to target both individuals and the gambling sectors in Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.
Evidence suggests that the Spellbinder IPv6 AitM tool has been put to use by the threat actor since at least 2022. While the exact initial access vector used in the attacks is unknown at this stage, successful access is followed by the delivery of a ZIP archive that contains four different files: AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe.
The threat actors then proceed to install “winpcap.exe” and run “AVGApplicationFrameHost.exe,” the latter of which is abused to sideload the DLL. The DLL file subsequently reads shellcode from “log.dat” and executes it in memory, causing Spellbinder to be launched in the process.
“Spellbinder uses the WinPcap library to capture packets and to reply to packets when needed,” Muñoz explained. “It takes advantage of IPv6’s Network Discovery Protocol in which ICMPv6 Router Advertisement (RA) messages advertise that an IPv6-capable router is present in the network so that hosts that support IPv6, or are soliciting an IPv6-capable router, can adopt the advertising device as their default gateway.”
In one attack case observed in 2024, the threat actors are said to have utilized this method to hijack the software update process for Tencent QQ at the DNS level to serve a trojanized version that then deploys WizardNet, a modular backdoor that’s equipped to receive and run .NET payloads on the infected host.
Spellbinder pulls this off by intercepting the DNS query for the software update domain (“update.browser.qq[.]com”) and issuing a DNS response with the IP address of an attacker-controlled server (“43.155.62[.]54”) hosting the malicious update.
Another noteworthy tool in TheWizards’ arsenal is DarkNights, which is also called DarkNimbus by Trend Micro and has been attributed to another Chinese hacking group tracked as Earth Minotaur. That said, both clusters are being treated as independent operators, citing differences in tooling, infrastructure, and targeting footprints.
It has since emerged that a Chinese public security ministry contractor named Sichuan Dianke Network Security Technology Co., Ltd. (aka UPSEC) is the supplier of the DarkNimbus malware.
“While TheWizards uses a different backdoor for Windows (WizardNet), the hijacking server is configured to serve DarkNights to updating applications running on Android devices,” Muñoz said. “This indicates that Dianke Network Security is a digital quartermaster to TheWizards APT group.”
