Cybersecurity firm ESET Research recently disclosed a cyber attack campaign targeting Asia and the Middle East, initiated by a hacker group associated with China named TheWizards.
Researchers focused on the malicious tool used by the organization, Spellbinder, which implements man-in-the-middle attacks using IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing techniques, capable of hijacking legitimate software update processes.
According to ESET researcher Facundo Muñoz, Spellbinder was first discovered in 2022 and saw updated versions between 2023 and 2024. The tool works by intercepting network packets, redirecting update requests from Chinese legitimate software to malicious servers, thus inducing the target system to download and execute malicious components. The final payload is a modular backdoor program named WizardNet, which can connect to a remote control server, receive, and execute .NET module commands.
ESET paid special attention to a 2024 attack case where the update process of Tencent QQ software was hijacked. Researchers found that the server distributing the malicious updates is still active. The latest version of WizardNet supports five commands, three of which allow attackers to directly execute .NET modules in the memory of the infected system, thus expanding their control capabilities.
The activities of TheWizards organization have continued at least since 2022, targeting individuals, gambling companies, and other entities in the Philippines, Cambodia, UAE, and more. Notably, the organization has potential links with the Chinese cybersecurity company UPSEC (United Power Security Technology Co., Ltd.), which previously developed the DarkNights backdoor program (also known as DarkNimbus), mainly targeting Tibetan and Uighur groups, and has been under scrutiny by the UK's National Cyber Security Centre (NCSC UK).
Although TheWizards uses the WizardNet backdoor, researchers found that the configuration of its hijacking servers is the same as that used for DarkNights, both used for updating applications on Android devices. This discovery further deepens the speculation about a possible connection between these two organizations.
This research reveals new methods of supply chain attacks, highlighting the potential security risks of the IPv6 protocol. Cybersecurity experts recommend that enterprises strengthen software update verification mechanisms and closely monitor abnormal network activities to guard against such advanced threats.
