Chinese APT’s Adversary-in-the-Middle Tool Dissected

Cybersecurity firm ESET has dissected a tool used by a Chinese APT tracked as TheWizards to conduct adversary-in-the-middle (AitM) attacks and deploy a backdoor.

The tool, dubbed Spellbinder, enables AitM attacks and lateral movement in the compromised network. It relies on IPv6 stateless address auto-configuration (SLAAC) spoofing, intercepting packets and redirecting the traffic of various Chinese applications in order to download malicious updates from a server controlled by the attackers.

By hijacking the application’s server communication, TheWizards dropped a downloader that fetched and deployed a modular backdoor dubbed WizardNet, ESET explains.

Linked to Dianke Network Security Technology, a Chinese company also known as UPSEC, and active since at least 2022, TheWizards was seen targeting individuals and organizations in Cambodia, China, Hong Kong, the Philippines, and the United Arab Emirates.

The APT was seen deploying Spellbinder on compromised machines to capture network packets and reply to them, using the WinPcap ...