TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems. Author: AlienVault
Related Tags:
spellbinder
wizardnet
software update hijacking
lateral movement
China
Philippines
cambodia
Hong Kong
United Arab Emirates
Associated Indicators:
9784A1483B4586EB12D86E549D39CA4BB63871B8
1A8147050AF6F05DEA5FBCA1AE1FF2FFD2B68F9C
DA867188937698C7769861C72F5490CB9C3D4F63
0CBA19B19DF9E2C5EBE55D9DE377D26A1A51B70A
4DB38A097AE4D5E70B2F51A8EE13B0C1EE01A2A1
76953E949AC54BE8FF3A68794EF1419E9EF9AFCB
DA73153C76B6F652F9B2847531D1C367
186CFFF47BA0A69AD79D46D9C187AA04
mkdmcdn.com