TheWizards, a China-linked APT group, uses a tool called Spellbinder to enable adversary-in-the-middle attacks within networks. Spellbinder exploits IPv6 SLAAC spoofing to intercept traffic and redirect software updates to attacker-controlled servers. ESET researchers found the tool hijacks legitimate Chinese apps like Sogou Pinyin to deliver malicious updates.
These updates serve as downloaders, eventually deploying a modular backdoor known as WizardNet.
The tactic of compromising update mechanisms isn’t new for Chinese APTs, with previous abuse seen in early 2024 by Blackwood. That group used Sogou Pinyin updates to deliver an implant named NSPX30 to targets. Another cluster, PlushDaemon, later used similar methods to spread a downloader named LittleDaemon. These operations show a consistent strategy of exploiting trusted software channels to bypass defenses.
Spellbinder has been active since at least 2022, with ZIP archives dropped after initial access, though the vector remains unknown.
The archive includes four files that install the necessary components to activate Spellbinder. The tool uses the WinPcap library and IPv6’s Router Advertisement protocol to mislead systems into accepting rogue gateways. This enables deep packet inspection and redirection within compromised networks.
DNS hijacking is another key element in these attacks, as seen in Tencent QQ’s case where DNS queries were spoofed. The tool uses a hard-coded list of domains from popular Chinese services to redirect updates. These domains include platforms like Tencent, Baidu, Xiaomi, and others. Additionally, TheWizards use another tool, DarkNights, provided by UPSEC, which serves Android targets. This link suggests a broader supply chain backing TheWizards’ operations.
