Exploring 'TheWizards' Use of SLAAC Spoofing for Targeted Attacks
Summary
CRIL came across a blog published by ESET detailing an investigation into a threat actor named TheWizards, a group aligned with China. TheWizards employs a tool known as Spellbinder for adversary-in-the-middle (AitM) attacks. The attacks exploit IPv6 SLAAC spoofing to intercept and redirect network traffic, allowing the deployment of a modular backdoor named WizardNet through malicious updates of legitimate Chinese software, including the widely used Sogou Pinyin.
The telemetry shows that targets include individuals, gambling platforms, and unidentified entities across regions such as the Philippines, Cambodia, UAE, mainland China, and Hong Kong. This campaign highlights the persistent threat of supply chain compromise and AitM techniques in modern cyber-espionage operations.
Technical Analysis
Spellbinder is a malware tool used by the threat group TheWizards to perform adversary-in-the middle (AitM) attacks inside compromised networks. It uses a technique called IPv6 SLAAC spoofing to intercept and redirect traffic, mainly targeting users of popular Chinese software.
How It's Deployed:
Once attackers access a machine, they deploy a ZIP file that extracts to a folder named AVG software. It includes:
● A renamed legitimate AVG program (AVGApplicationFrameHost.exe) used to load malicious code.
● A DLL (wsc.dll) that reads and runs shellcode from a file called log.dat.
● A packet capture tool (winpcap.exe), which helps intercept network traffic.
How Spellbinder Works:
After being loaded into memory:
● Spellbinder selects a network adapter and starts capturing traffic.
● It sends fake ICMPv6 Router Advertisement messages every 200 milliseconds to make other devices on the network think it is the default gateway.
● This tricks nearby machines with IPv6 enabled to send their internet traffic through the infected computer.
DNS Hijacking and Packet Handling:
Spellbinder looks for DNS queries to well-known Chinese services (like Tencent, Xiaomi, Baidu) and responds with fake IP addresses controlled by the attacker. This allows them to redirect update traffic and deliver malware. It also handles other network protocols like ARP and DHCPv6 to maintain control of traffic flow.
Figure 2 - Illustration of the SLAAC attack carried out by Spellbinder (source: welivesecurity)
In 2024, attackers used Spellbinder to hijack updates from Tencent’s QQ software. The malware intercepts DNS requests to QQ update domains and responds with fake IP addresses, redirecting traffic to attacker-controlled servers. These servers then send fake update instructions, prompting QQ to download a malicious archive containing a downloader DLL (minibrowser_shell.dll).
Payload Execution and Loader Functionality
The malicious DLL only activates if the current process name includes “QQ”. Once active, it connects to the attacker's server, downloads an encrypted blob, and loads shellcode that includes:
● AMSI bypass (to avoid Windows security scanning),
● ETW patching (to disable event logging),
● Initialization of the .NET runtime, which is used to execute the final payload in memory.
WizardNet Backdoor
The core payload, WizardNet, is a modular .NET backdoor. It creates a mutex based on the machine’s name, reads additional shellcode from a file or registry, and injects itself into processes like explorer.exe or ImagingDevices.exe. It also generates a unique SessionKey using the computer name, installation time, and disk serial number.
Figure 3 - Compromise chain(source: welivesecurity)
Communication and Capabilities
WizardNet connects to a C2 server using AES-ECB encryption with a SessionKey and random IV. It supports commands to load, invoke, and unload .NET modules in memory while remaining stealthy. It also collects system info (OS, IP, privileges, processes) and scans for antivirus software like AVP, 360tray, and MyShield.
| Command ID | Task |
| 0x56 | Load a .NET module into memory. |
| 0x57 | Invoke a function from a loaded .NET module. |
| 0x58 | Unload a module loaded with command 0x56. |
| 0x59 | Unload a Client plugin assembly and clean up. |
| 0x5A | Send system and orchestrator information, including machine name, OS, privileges, process names, and security solutions. |
Android Component – DarkNights
The attacker infrastructure also targets Android devices by hijacking Tencent QQ updates, redirecting them to download a malicious plugin. This plugin contains a DEX payload, DarkNights (aka DarkNimbus), a mobile implant linked to UPSEC.
Attribution and Threat Actor Links
While tools like DarkNights are shared across groups, TheWizards stands out by using Spellbinder and WizardNet, targeting different victims than groups like Earth Minotaur. The overlap in tools suggests UPSEC may supply malware to multiple Chinese APT groups, but the infrastructure and targets indicate TheWizards is a distinct entity.
Recommendations
Isolate critical systems from less secure ones and monitor network traffic for unusual activity. This helps detect adversary-in-the-middle attacks and prevent lateral movement.
Ensure all software, especially security tools and update mechanisms, are kept up to date to close any vulnerabilities that attackers could exploit.
Employ DNS filtering solutions to block known malicious domains and implement DNS over HTTPS (DoH) or DNS over TLS (DoT) to encrypt DNS queries, reducing the risk of hijacking.
Conclusion
Researchers discovered a China-aligned APT group called TheWizards and analyzed their custom tools. One of these tools, Spellbinder, is an IPv6 AitM tool that redirects legitimate Chinese software updates to malicious servers. This allows attackers to trick victims into downloading and executing fake updates, ultimately deploying the WizardNet backdoor on compromised machines.
