Full Report
A China-aligned APT threat actor named "TheWizards" abuses an IPv6 networking feature to launch adversary-in-the-middle (AitM) attacks that hijack software updates to install Windows malware. [...]
Analysis Summary
# Threat Actor: Unknown (Exploiting IPv6 Feature)
## Attribution & Identity
The specific threat actor group responsible for the described campaign is **not explicitly named** in the provided text, however, the methodology is described in correlation with research by ESET, which also reported on a group named **Blackwood** separate from this specific IPv6 abuse campaign.
Known aliases and associated groups:
* **Blackwood:** Mentioned in connection with a separate incident hijacking WPS Office updates.
## Activity Summary
The described campaign involves exploiting a networking feature within IPv6 to hijack legitimate software updates. The attackers deploy a tool known as **Spellbinder** which forces nearby machines to reroute their IPv6 traffic through attacker-controlled infrastructure, allowing for the interception and redirection of update requests. This ultimately leads to the deployment of a backdoor named "WizardNet."
Initial deployment seems to involve dropping an archive named `AVGApplicationFrameHostS.zip` into a directory mimicking AVG Technologies software: `"%PROGRAMFILES%\\AVG Technologies."`
## Tactics, Techniques & Procedures
- **Misconfiguration/Abuse of Native Features:** Abusing IPv6 Stateless Address Autoconfiguration (SLAAC) via Router Advertisement (RA) messages.
- **Traffic Redirection:** Sending spoofed multicast RA messages (to `ff02::1`) to trick systems into accepting a malicious IPv6 default gateway address.
- **Binary Side-Loading:** Using a legitimate executable (`winpcap.exe`) to side-load a malicious DLL (`wsc.dll`) which then loads the primary tool into memory.
- **Update Hijacking/Substitution:** Intercepting traffic destined for legitimate software update servers and redirecting the download request to malicious infrastructure to install malware.
No specific MITRE ATT&CK IDs were provided in the text.
## Targeting
- Sectors: Organizations whose systems are configured to use IPv6 and utilize software from targeted vendors (implied sectors include general software users).
- Geography: Not specified, but the targeting of specific Chinese software update servers (Tencent, Baidu, etc.) suggests a potential focus on environments where these services are prevalent or an attempt on global users of these services.
- Victims: Systems with IPv6 enabled utilizing SLAAC. Specific organizations are not named as confirmed victims of this *specific* attack, though the malware monitors traffic for connections to domains belonging to several major Chinese tech companies.
## Tools & Infrastructure
- **Malware Families Used:**
- **Spellbinder:** The primary tool used to send spoofed RA messages and hijack traffic.
- **WizardNet:** A backdoor deployed after the update hijacking process is successful, granting persistent access.
- **Infrastructure (C2, domains, IPs):**
- The tool redirects update requests to download malicious updates. Specific C2 domains/IPs were not disclosed, though monitored domains include those belonging to: Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.
- **Infection Artifacts:**
- Archive: `AVGApplicationFrameHostS.zip`
- Extracted components: `AVGApplicationFrameHost.exe`, `wsc.dll`, `log.dat`, and a legitimate `winpcap.exe`.
## Implications
This attack represents a sophisticated network-layer pivot, bypassing application-layer controls by manipulating the fundamental mechanisms of IPv6 network configuration (SLAAC). The result is persistent access via the WizardNet backdoor, raising concerns about supply chain compromise relating to software updates and deep network infiltration capabilities.
## Mitigations
- Monitor IPv6 traffic for anomalous Router Advertisement (RA) messages.
- Disable the IPv6 protocol entirely in environments where it is not strictly required for business operations, as this negates the primary attack vector.