Summary: TheWizards, a China-aligned APT group, has been linked to a lateral movement tool called Spellbinder, which enables adversary-in-the-middle attacks through IPv6 spoofing. This method allows them to hijack software updates, notably for Chinese applications like Sogou Pinyin and Tencent QQ, to deliver malware, including a modular backdoor known as WizardNet. Evidence suggests that this tool and tactics have been in use since at least 2022, targeting sectors in various regions, including Southeast Asia and the UAE.
Affected: Sogou Pinyin, Tencent QQ, and users in Cambodia, Hong Kong, Mainland China, the Philippines, and the UAE
Keypoints :
- TheWizards employs Spellbinder to conduct AitM attacks that exploit IPv6 stauteless address autoconfiguration (SLAAC) spoofing.
- The group has previously used similar techniques to exploit software update mechanisms in Chinese input method applications to deliver malware.
- Spellbinder can hijack DNS queries to redirect users to malicious update servers, facilitating the download of backdoors such as WizardNet.
Source: https://thehackernews.com/2025/04/chinese-hackers-abuse-ipv6-slaac-for.html