WizardNet

WizardNet is a modular Windows backdoor associated with the China-aligned threat actor TheWizards and delivered via adversary-in-the-middle software-update hijacking operations using the Spellbinder framework. ESET reported that Spellbinder abuses IPv6 SLAAC spoofing and forged ICMPv6 Router Advertisements to position the attacker as the default gateway, intercept DNS requests for targeted Chinese software domains, and redirect update traffic to attacker-controlled infrastructure. Observed delivery chains included abuse of Sogou Pinyin updates and, in 2024, hijacking Tencent QQ update traffic for update.browser.qq.com to serve a malicious archive that deployed a downloader and ultimately loaded WizardNet in memory.

The installation chain described by ESET used a ZIP archive containing AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. A legitimate AVG component was abused for DLL side-loading of wsc.dll, which read shellcode from log.dat and executed it in memory; the shellcode then loaded Spellbinder. The downloader later connected to an attacker-controlled server to retrieve an encrypted blob whose shellcode loaded WizardNet. The loader attempted defense evasion by patching AmsiScanBuffer to bypass AMSI and patching EtwEventWrite to disable ETW logging, then initialized the .NET runtime and executed WizardNet in memory.

WizardNet is described as a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. It creates a mutex named Global\<MD5(computer_name)>, derives a SessionKey from MD5(computer name + install time + disk serial), and stores data under HKCU\Software\<MD5(computer_name)>\<MD5(computer_name)>mid. It can read shellcode from ppxml.db or from registry key HKCU\000000 and attempts to inject that shellcode into explorer.exe or %ProgramFiles%\Windows Photo Viewer\ImagingDevices.exe. Communications use TCP or UDP with AES-ECB and PKCS7 padding keyed by the SessionKey.

Targeting reported for TheWizards includes individuals, gambling companies, and other entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. Multiple reports also link WizardNet to broader China-nexus traffic-hijacking activity: Trend Micro assessed HOLODONUT is likely linked to WizardNet and TheWizards, and Cisco Talos found infrastructure overlap between WizardNet and the DKnife adversary-in-the-middle framework, which was used to hijack downloads and updates and was linked to activity in the Philippines, Cambodia, and the UAE. Reported infrastructure and indicators associated with WizardNet operations include 43.135.35.84 / mkdmcdn.com as WizardNet C2, and malicious update infrastructure including 43.155.116.7 and 43.155.62.54.