TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
Essential information
- Published
- 09/05/2025 11:59
- Modified
- 09/05/2025 16:55
- Tags
- 2025-04-30 2025-05-09 adversary-in-the-middle china darknights lateral movement slaac spoofing software update hijacking spellbinder wizardnet
- Related entities
- 8 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 malware, 10 others
Description
TheWizards, a China-aligned threat actor, employs Spellbinder, a lateral movement tool that enables adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows the group to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The attackers deploy their custom backdoor, WizardNet, which can load additional modules and gather system information. TheWizards targets individuals, gambling companies, and other entities in several Asian countries and the UAE. The group is linked to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), known for supplying malware to other threat actors. TheWizards' sophisticated toolset and tactics demonstrate their advanced capabilities in compromising networks and evading detection.