ESET Research
ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East
ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet.
TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong.
“We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,” says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. “Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,” explains Muñoz.
The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system.
TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices.
The post ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East appeared first on Gaming and Gambling Industry in the Americas.
-
Africa7 days agoBetConstruct AI to Drive Global Innovation and Strategic Growth AcrossKey Markets in LatAm, Asia, and Africa
-
Centurion Winner Grand Chance™6 days ago
New from Inspired: Luck It Up™ and Centurion Winner Grand Chance™ available online & on mobile
-
Blazin' Bonus6 days ago
Booming Games releases Blazin’ Bonus
-
Asia7 days ago
Mumbai to Host the Prestigious Global Esports Games (GEG) World Finals from March 19–22
-
Cristiano Blanco CEO of SpinCore Group6 days ago
SpinCore Group Enters Finnish Market via Finnplay Partnership
-
Australasian Hospitality and Gaming Expo6 days ago
IGT Showcases Integrated Gaming, Systems, and FinTech Innovations Designed to Drive Growth at Australasian Hospitality and Gaming Expo 2026
-
Africa7 days ago
BetConstruct AI Fuels Global Innovation Strategy Across Latin America, Asia and Africa
-
Conferences5 days ago
NOVOMATIC Gaming Colombia to Showcase its Latest Innovations at GAT Cartagena 2026
