Insights, news, education and announcements from PolySwarm

TheWizards Use Spellbinder to Conjure Lateral Movement

Written by The Hivemind | May 5, 2025 3:09:59 PM

Verticals Targeted: Gambling
Regions Targeted: Philippines, Cambodia, United Arab Emirates, China, Hong Kong
Related Families: WizardNet, DarkNights (DarkNimbus)

Executive Summary

TheWizards APT group leverages Spellbinder, a sophisticated lateral movement tool, to conduct adversary-in-the-middle (AitM) attacks, hijacking legitimate Chinese software updates to deploy the WizardNet backdoor. This activity targets gambling companies and individuals across Asia and the Middle East.

Key Takeaways

  • Spellbinder utilizes IPv6 SLAAC spoofing to intercept network traffic and redirect legitimate software updates to malicious servers.
  • WizardNet Backdoor is a modular .NET-based implant deployed via hijacked updates, capable of executing additional modules in memory.
  • Recent campaigns abused Tencent QQ updates to deliver malware.
  • Victims are primarily located in the Philippines, Cambodia, UAE, mainland China, and Hong Kong.

The Activity

 TheWizards, a China-aligned advanced persistent threat (APT) group, has been active since at least 2022, employing sophisticated techniques to compromise networks across Asia and the Middle East. ESET researchers recently reported on Spellbinder, a custom lateral movement tool that enables adversary-in-the-middle (AitM) attacks through IPv6 stateless address autoconfiguration (SLAAC) spoofing. This tool allows TheWizards to intercept network packets and redirect traffic from legitimate Chinese software to attacker-controlled servers, facilitating the delivery of malicious updates.

Spellbinder exploits IPv6 network configurations by sending multicast router advertisement packets, positioning itself as a malicious IPv6-capable router. It provides specific DNS server addresses tied to China Telecom’s AS4134 backbone, enabling the redirection of DNS queries for popular Chinese platforms like Tencent and Baidu. In a notable campaign, TheWizards hijacked the update mechanism of Tencent QQ, a widely used Chinese messaging application, to deploy a malicious downloader. This downloader serves as a conduit for WizardNet, a modular backdoor written in .NET that connects to a remote controller to execute additional modules in memory. WizardNet supports five commands, three of which focus on in-memory module execution, enhancing its flexibility and persistence on compromised systems.

The group’s infrastructure also delivers DarkNights (also known as DarkNimbus) to Android devices, indicating a multi-platform targeting strategy. ESET telemetry reveals that TheWizards primarily focuses on gambling companies, individuals, and unspecified entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. The group’s operations are linked to Sichuan Dianke Network Security Technology (UPSEC), a Chinese company identified by NCSC UK as a supplier of the DarkNights backdoor, which also targets Tibetan and Uyghur communities.

Who is TheWizards?

TheWizards, a China-aligned advanced persistent threat (APT) group, has been active since at least 2022, targeting entities across Asia and the Middle East. The group’s sophisticated techniques focus on exploiting trusted software update channels to deliver malware, demonstrating a high level of technical proficiency. By leveraging IPv6 network configurations, TheWizards intercepts traffic to deploy WizardNet, a versatile backdoor that supports modular execution, and DarkNights, a mobile malware targeting Android devices. Their campaigns primarily affect gambling companies and individuals in the Philippines, Cambodia, UAE, mainland China, and Hong Kong. The group’s connection to UPSEC, a CCP-associated entity, suggests state-backed motives, potentially tied to intelligence gathering or geopolitical objectives. 

IOCs

PolySwarm has a sample associated with this activity.

 

5dc7b4a618076662b5993b392eb0e402b9f6c27f88b6561791475dc1069c318e

 

You can use the following CLI command to search for all related samples in our portal:

$ polyswarm link list -f Spellbinder

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 
View full post