Summary: A China-aligned APT group known as “TheWizards” exploits IPv6 Stateless Address Autoconfiguration (SLAAC) to perform adversary-in-the-middle attacks, hijacking software updates to install malware on Windows systems. The group has targeted various organizations across multiple nations since at least 2022, using a custom tool named “Spellbinder.” This tool enables them to intercept and manipulate network traffic, leading to the deployment of a backdoor known as “WizardNet.”
Affected: Individuals and organizations in the Philippines, Cambodia, United Arab Emirates, China, Hong Kong
Keypoints :
- TheWizards has been active since 2022, targeting industries including gambling and software updates.
- Spellbinder exploits the IPv6 SLAAC feature to reroute legitimate network traffic to attacker-controlled servers.
- The malware captures communications related to Chinese software services and installs updates that introduce the WizardNet backdoor.