TheWizards Deploy ‘Spellbinder Hacking Tool’ for Global Adversary-in-the-Middle Attack

ESET researchers have uncovered sophisticated attack techniques employed by a China-aligned threat actor dubbed “TheWizards,” which has been actively targeting entities across Asia and the Middle East since 2022.

The group employs a custom lateral movement tool called Spellbinder that performs adversary-in-the-middle (AitM) attacks using IPv6 SLAAC spoofing, allowing attackers to redirect legitimate software updates to malicious servers.

China-aligned APT Group’s Sophisticated Attack Infrastructure

TheWizards has developed a comprehensive attack strategy focused primarily on victims in the Philippines, Cambodia, United Arab Emirates, mainland China, and Hong Kong.

According to ESET telemetry, the group targets individuals, gambling companies, and various organizations across these regions.

Their attack infrastructure involves deploying Spellbinder on compromised networks to intercept traffic and redirect update protocols from legitimate Chinese software to attacker-controlled servers.

The attackers then deliver WizardNet, their signature backdoor, which functions as a modular implant ...