TheWizards

TheWizards is a China-aligned cyber-espionage APT group active since at least 2022. ESET links the group to the IPv6-based adversary-in-the-middle and lateral movement tool Spellbinder and the modular Windows backdoor WizardNet. The group has targeted individuals, gambling companies, and other unidentified entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. Spellbinder abuses IPv6 SLAAC and ICMPv6 Router Advertisement spoofing to position an attacker-controlled host as the default gateway, intercept traffic, and hijack legitimate software update mechanisms. ESET reported the tool monitors DNS queries for targeted Chinese platforms and software-update domains, then returns forged DNS responses that redirect victims to attacker-controlled infrastructure serving malicious updates. Observed targets of this hijacking included Chinese software and services such as Tencent QQ and earlier Sogou Pinyin. In a 2024 case, TheWizards hijacked DNS for update.browser.qq.com and redirected victims to attacker infrastructure that delivered a malicious archive and ultimately installed WizardNet. Observed execution involved deployment of a ZIP archive containing AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. A legitimate AVG component was abused for DLL side-loading of wsc.dll, which read shellcode from log.dat and launched Spellbinder in memory. Spellbinder used WinPcap for packet capture and crafted network replies, including multicast ICMPv6 Router Advertisements, DNS responses, and other local-network protocol traffic. WizardNet is a modular backdoor that can receive and execute additional .NET modules from a remote controller. Reported capabilities include in-memory loading, AMSI and ETW patching for defense evasion, shellcode loading from disk or registry, process injection into explorer.exe or ImagingDevices.exe, host-derived session key generation, and encrypted TCP or UDP C2 communications using AES-ECB with PKCS7 padding. The reporting also notes links between TheWizards and Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), which ESET assessed acts as a “digital quartermaster” to the group. Infrastructure associated with TheWizards was also reported to serve the Android malware DarkNights, also referred to as DarkNimbus. Related reporting linked DarkNimbus to Earth Minotaur, but ESET treated TheWizards and Earth Minotaur as independent operators based on differences in tooling, infrastructure, and targeting. TheWizards has also been cited by ESET as one of several China-aligned groups using adversary-in-the-middle techniques for lateral movement, and other reporting noted links between a backdoor associated with TheWizards and broader China-linked activity clusters.