ESET has recently uncovered Spellbinder, a novel tool employed by TheWizards, a cyber espionage group linked to China, to execute Adversary-in-the-Middle (AitM) attacks and disseminate their WizardNet backdoor through compromised software updates.
This advanced cyber espionage operation, active since at least 2022, demonstrates TheWizards’ unique approach in infiltrating computer networks. Utilizing a custom-designed tool named Spellbinder, the group undertakes AitM attacks that facilitate the delivery of the WizardNet backdoor, which allows for extensive malicious activity on affected systems.
An in-depth analysis from ESET reveals that Spellbinder takes advantage of IPv6 SLAAC (stateless address autoconfiguration) spoofing to manipulate network traffic. This technique effectively intercepts legitimate software updates from Chinese sources, redirecting them to attacker-controlled servers to deploy WizardNet.
WizardNet is a sophisticated, modular backdoor capable of receiving and executing additional malicious modules from a remote command-and-control (C2) server. This enables TheWizards to execute a wide array of malicious actions on compromised devices.
Spellbinder then monitors DNS queries directed toward prominent Chinese platforms such as Tencent, Baidu, and Xiaomi. It generates false DNS responses that route victims to attacker-controlled IP addresses, with instances noted such as 43.155.1167 in 2022 and 43.155.6254 in 2024, delivering malicious updates.
An alarming case involved Spellbinder hijacking legitimate update requests for Tencent QQ software in 2024, redirecting the client to download a harmful archive from an attacker-operated server. This archive contained components that, once executed, installed the WizardNet backdoor.
ESET’s telemetry suggests that TheWizards have been actively targeting entities across the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong, with targets ranging from individual users to gambling companies and other unidentified organizations.
