TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks

May 9, 2025, 4:55 p.m.

Description

TheWizards, a China-aligned threat actor, employs Spellbinder, a lateral movement tool that enables adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows the group to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The attackers deploy their custom backdoor, WizardNet, which can load additional modules and gather system information. TheWizards targets individuals, gambling companies, and other entities in several Asian countries and the UAE. The group is linked to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), known for supplying malware to other threat actors. TheWizards' sophisticated toolset and tactics demonstrate their advanced capabilities in compromising networks and evading detection.

External References

https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
https://otx.alienvault.com/pulse/681dee1bd88d7bd471884f5b
Tags
china
lateral movement
adversary-in-the-middle
2025-04-30
software update hijacking
wizardnet
spellbinder
slaac spoofing
2025-05-09
darknights

Date

  • Created: May 9, 2025, 11:59 a.m.
  • Published: May 9, 2025, 11:59 a.m.
  • Modified: May 9, 2025, 4:55 p.m.

Indicators

  • d00074aac26579efdae31c7432b2fc51a74d500b6e2225509acf0d22012b8d42
  • 24b079e6edb359c1ff465962779c35f57cf3bfae3a6ab45cef6129138746807b
  • 103.243.181.120
  • vv.ssl-dns.com
  • ssl-dns.com
  • plugin-audiofirstpiece.ml
  • mkdmcdn.com
  • assetsqq.com
Download all indicators here!

Attack Patterns

  • DarkNights
  • WizardNet
  • Spellbinder
  • TheWizards

Additional Informations

  • Gambling
  • Government
  • ff02::1
  • 240e:56:4000:8000::22
  • 240e:56:4000:8000::11
  • Hong Kong
  • China
  • United Arab Emirates
  • Cambodia
  • Philippines