Chinese Group Thewizards Exploits Ipv6 To Drop Wizardnet Backdoor

ESET has discovered Spellbinder, a caller instrumentality utilized by nan China-linked cyber espionage group TheWizards to behaviour AitM attacks and dispersed their WizardNet backdoor via manipulated package updates.

A blase cyber espionage operation, linked to China and progressive since astatine slightest 2022, has been exposed by information researchers astatine ESET. The group dubbed TheWizards by ESET stands retired for its innovative method of infiltrating machine networks. Reportedly, it employs a civilization tool, named Spellbinder, to behaviour adversary-in-the-middle (AitM) attacks, to present a blase backdoor dubbed WizardNet by ESET.

ESET’s in-depth analysis, elaborate successful a caller blog post, reveals that Spellbinder manipulates web postulation via IPv6 SLAAC (stateless reside autoconfiguration) spoofing, efficaciously intercepting morganatic Chinese package updates and redirecting them to attacker-controlled servers to present WizardNet.

Attack Method Explained (Source: ESET)

WizardNet is simply a sophisticated, modular backdoor tin of receiving and executing further malicious modules from a distant C2 server. This allows TheWizards to execute a wide scope of malicious activities connected compromised systems.

Reportedly, aft gaining first access, attackers deploy a circumstantial archive which, done a process called side-loading, yet executes Spellbinder’s malicious code. Spellbinder, evolving since its 2022 analysis, uses WinPcap to seizure packets and exploits IPv6’s Network Discovery Protocol by sending crafted ICMPv6 Router Advertisement (RA) messages. T

his tricks victims into utilizing nan attacker’s instrumentality arsenic nan gateway, enabling postulation interception. It past monitors DNS queries for targeted Chinese platforms for illustration Tencent, Baidu, and Xiaomi, generating clone DNS responses and directing victims to attacker-controlled IPs (e.g., 43.155.1167 successful 2022, 43.155.6254 successful 2024) serving malicious updates.

A notable lawsuit progressive hijacking morganatic update requests for Tencent QQ package by Spellbinder successful 2024, directing nan package to download a malicious archive from nan attacker’s server. This archive contained a harmful constituent that, upon execution, installed nan WizardNet backdoor.

ESET’s telemetry indicates that TheWizards person been actively targeting entities successful nan Philippines, Cambodia, nan United Arab Emirates, mainland China, and Hong Kong. The targets scope from individuals to gambling companies and different presently chartless entities.

The first find progressive Sogou Pinyin (a wide utilized Chinese input method software) downloading WizardNet. This follows a shape of maltreatment targeting Sogou Pinyin’s update process. In January 2024, arsenic elaborate by ESET, nan hacking group Blackwood utilized this method to deploy an implant named NSPX30.

Furthermore, earlier successful 2025, nan Slovak cybersecurity patient revealed different threat group known arsenic PlushDaemon that besides leveraged nan aforesaid technique to administer a civilization downloader called LittleDaemon.

As elaborate successful their report, researchers observed imaginable links betwixt TheWizards and a Chinese institution Sichuan Dianke Network Security Technology (UPSEC) done nan study of nan Android malware DarkNights (DarkNimbus).

Despite TheWizards chiefly utilizing WizardNet connected Windows, their infrastructure served DarkNights arsenic a malicious update for Android Tencent QQ.

Such blase manipulation of trusted update mechanisms highlights nan persistent and evolving threat from state-aligned cyber espionage and nan ongoing request for improving information measures and be aware against these threats.