Spellbinder

Spellbinder is a lateral movement and adversary-in-the-middle (AitM) framework used by the China-aligned espionage group TheWizards. ESET reported the tool has been used since at least 2022 to move laterally inside compromised networks by abusing IPv6 stateless address autoconfiguration (SLAAC) and ICMPv6 Router Advertisement spoofing. Spellbinder sends multicast Router Advertisements to make victim hosts use the attacker-controlled system as the default gateway, then intercepts packets and redirects traffic.

Its primary observed use is hijacking legitimate software update traffic for Chinese applications and redirecting victims to attacker-controlled infrastructure serving malicious updates. Spellbinder uses WinPcap for packet capture and packet crafting, can enumerate and select network adapters, and can respond to DNS queries, ICMPv6 Router Solicitations, Neighbor Advertisements, and DHCPv6 Solicit/Information-request traffic. It monitors DNS requests for a hardcoded set of targeted Chinese-platform domains, including services associated with Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Youdao, Xiaomi/MIUI, PPLive, Meitu, Qihoo 360, and Baofeng. When a targeted domain is queried, it forges DNS responses pointing to attacker-controlled IPs. Reported hijack IPs include 43.155.116[.]7 in 2022 and 43.155.62[.]54 in 2024; one observed 2024 case redirected update.browser.qq.com to 43.155.62[.]54 to hijack Tencent QQ updates.

ESET described deployment after initial access via a ZIP archive containing AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe, extracted under %PROGRAMFILES%\AVG Technologies. A legitimate AVG component is abused for DLL side-loading: AVGApplicationFrameHost.exe loads wsc.dll, which reads shellcode from log.dat and executes it in memory, ultimately loading Spellbinder. In observed campaigns, Spellbinder-enabled traffic hijacking delivered a malicious downloader through trojanized software updates. In a Tencent QQ case, the attacker server returned JSON update instructions causing QQ.exe to download minibrowser11_rpl.zip, which deployed minibrowser_shell.dll; that DLL executed only when the process name contained "QQ" and then fetched an encrypted blob that loaded the WizardNet backdoor in memory.

Spellbinder is directly linked to delivery of WizardNet, a modular Windows backdoor used by TheWizards, and reporting also notes infrastructure configured to serve DarkNights/DarkNimbus to Android applications. ESET telemetry linked TheWizards and Spellbinder-related activity to targets including individuals, gambling companies, and other entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. Reported infrastructure and indicators associated with Spellbinder-enabled malicious updates include 43.155.116[.]7, 43.155.62[.]54, and domains such as hao[.]com and vv.ssl-dns[.]com.