Full Report
A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks. "Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and
Analysis Summary
# Threat Actor: TheWizards
## Attribution & Identity
* **Attribution:** China-aligned Advanced Persistent Threat (APT) group.
* **Known Aliases/Associations:** Potentially associated with infrastructure supplied by Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), which also supplies malware attributed to Earth Minotaur, though TheWizards is treated as an independent operator.
## Activity Summary
TheWizards has been active since at least 2022, utilizing novel techniques for lateral movement and supply chain compromise, specifically targeting the software update mechanisms of legitimate Chinese applications. A key observed activity in 2024 involved hijacking the DNS resolution process for Tencent QQ to deliver a trojanized update deploying the WizardNet backdoor.
## Tactics, Techniques & Procedures
* **Lateral Movement/AitM:** Utilizing the custom tool **Spellbinder** to facilitate Adversary-in-the-Middle (AitM) attacks via IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing for lateral movement.
* **DNS Hijacking:** Intercepting DNS queries for legitimate software update domains (e.g., `update.browser.qq[.]com`) and returning attacker-controlled IP addresses (e.g., `43.155.62[.]54`).
* **Supply Chain Compromise:** Hijacking software update mechanisms (e.g., Sogou Pinyin and Tencent QQ) to deliver malicious payloads or trojanized updates.
* **Initial Execution Chain (Observed):** Delivery of a ZIP archive containing `AVGApplicationFrameFrameHost.exe`, `wsc.dll`, `log.dat`, and `winpcap.exe`. The actor abuses `AVGApplicationFrameHost.exe` to sideload `wsc.dll`, which executes shellcode from `log.dat` in memory to launch Spellbinder.
* **Packet Interaction:** Spellbinder uses the WinPcap library to capture and reply to network packets, leveraging ICMPv6 Router Advertisement (RA) messages to redirect default gateway traffic.
* **Payload Delivery:** Deploying the **WizardNet** modular backdoor (for Windows) or **DarkNights** (for Android devices).
## Targeting
* **Sectors:** Gambling sectors.
* **Geography:** Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.
* **Victims:** Individuals and organizations within targeted sectors; specific software update mechanisms for Sogou Pinyin and Tencent QQ have been exploited.
## Tools & Infrastructure
* **Malware Families Used:**
* **Spellbinder:** IPv6 SLAAC spoofing/AitM tool.
* **WizardNet:** Modular backdoor for Windows, capable of receiving and executing .NET payloads.
* **DarkNights (aka DarkNimbus):** Malware deployed to Android devices via the hijacking server (Trend Micro attribution).
* **Infrastructure:**
* **IP:** `43.155.62[.]54` (Observed serving malicious QQ updates).
* **Source/Quartermaster:** Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC) implicated in supplying DarkNights/DarkNimbus.
## Implications
TheWizards poses a significant threat due to its sophisticated use of IPv6 protocols (SLAAC spoofing) for stealthy lateral movement and AitM attacks, effectively subverting trusted software update mechanisms via DNS manipulation. This method bypasses standard perimeter defenses by compromising the trust chain between a user, their device, and a legitimate service provider.
## Mitigations
* **Secure IPv6 Configuration:** Implement security measures for Neighbor Discovery Protocol (NDP) and restrict or monitor SLAAC configurations, as IPv6 NDP manipulation is central to their lateral movement.
* **Software Update Integrity:** Implement strict validation and integrity checks for all software updates, preferably via cryptographic signing verification rather than relying solely on DNS resolution.
* **DNS Security:** Employ DNS Security Extensions (DNSSEC) where possible, and monitor for anomalous DNS responses, especially those directing traffic for known update domains to unexpected IPs.
* **Network Monitoring:** Monitor for WinPcap usage or processes capturing or manipulating raw network packets on internal workstations for signs of Spellbinder activity.