Follow on X RSS Feed
Malware

TheWizards APT Exploits IPv6 to Hijack Updates and Deploy Dual-Platform Malware

Cybersec Sentinel

3 min read
TheWizards APT Exploits IPv6 to Hijack Updates and Deploy Dual-Platform Malware

Threat Group: TheWizards
Threat Type: Advanced Persistent Threat (APT) – Cyberespionage
Exploited Vulnerabilities: IPv6 SLAAC/NDP Trust Exploitation
Malware Used: Spellbinder (AitM tool), WizardNet (Windows modular backdoor), DarkNights / DarkNimbus (Android spyware)
Threat Score: 🔥 Critical (9.1/10) due to use of advanced IPv6-based adversary-in-the-middle techniques, dual-platform malware deployment, and targeting of Chinese-speaking individuals and gambling operators abroad
Last Threat Observation: 30 April 2025

Overview

TheWizards is a China-aligned Advanced Persistent Threat (APT) group active since at least 2021. Their operations focus on stealthy network-layer interception via IPv6 SLAAC spoofing, enabling adversary-in-the-middle (AitM) attacks inside local networks. Through these methods, TheWizards hijack legitimate software update mechanisms to deliver Windows and Android backdoors—WizardNet and DarkNights respectively.

This group’s key innovation is Spellbinder, a custom AitM tool using IPv6 router advertisements to reroute host traffic. They target users in the Philippines, Cambodia, Hong Kong, mainland China, and the United Arab Emirates, with a particular focus on Chinese-speaking individuals and international gambling companies.

The tools and infrastructure suggest collaboration with UPSEC (Sichuan Dianke Network Security Technology Co., Ltd.), a suspected Chinese state-linked malware supplier. The campaign illustrates a modern, multi-layered espionage model blending private development, sophisticated network exploitation, and cross-platform persistence.

Key Details

Delivery Method:
Hijacked software update mechanisms over IPv6, delivered through DNS spoofing and side-loaded binaries.

Target:
Chinese-speaking individuals, online gambling platforms, and entities in Southeast Asia and the Middle East.

Functions:

  • IPv6 SLAAC-based Adversary-in-the-Middle
  • DNS interception and response forgery
  • Payload delivery via DLL side-loading
  • Modular .NET backdoor capabilities
  • Android device spyware targeting BYOD networks

Obfuscation:
Uses DLL side-loading, polymorphic shellcode, encrypted blobs, AMSI and ETW bypasses, and dynamic API resolution.

Attack Vectors

TheWizards’ tactics centre on local network compromise through IPv6 misconfigurations. Their primary attack chain includes:

1. SLAAC Spoofing & AitM

  • Deployed on a compromised LAN machine
  • Sends spoofed ICMPv6 Router Advertisements (RAs) every 200ms
  • Hosts accept attacker as default gateway using SLLAO
  • Victim traffic is silently routed via the attacker

2. DNS Hijacking

  • Spellbinder captures DNS queries using WinPcap
  • Injects forged responses for targeted domains (e.g., Tencent QQ, Sogou)
  • Redirects updates to attacker-controlled IPs like 43.155.62[.]54

3. Payload Delivery

  • Fake updates include:
    • Signed executable (e.g., AVGApplicationFrameHost.exe)
    • Malicious DLL (wsc.dll)
    • Encrypted shellcode (log.dat)
    • WinPcap installer
  • DLL side-loading triggers shellcode to deploy WizardNet

4. Android Targeting

  • Android apps updating via hijacked DNS download DarkNights
  • Delivered via ZIP files with malicious classes.dex payloads

5. C2 Communication

  • WizardNet and DarkNights connect to C2 domains (e.g., mkdmcdn[.]com)
  • Encrypted with AES ECB and host-specific keys

6. Persistence & Evasion

  • Registry persistence and mutex creation
  • Shellcode injection into explorer.exe
  • AMSI and ETW patching
  • Dynamic module loading over .NET runtime

Known Indicators of Compromise (IoCs)

IPv4

  • 103[.]243[.]181[.]120

FileHash-MD5

  • 186cfff47ba0a69ad79d46d9c187aa04
  • a961766c1b2e5133d589be1cf47e3338
  • da73153c76b6f652f9b2847531d1c367

FileHash-SHA1

  • 0cba19b19df9e2c5ebe55d9de377d26a1a51b70a
  • 1a8147050af6f05dea5fbca1ae1ff2ffd2b68f9c
  • 2d376adf44dbd9cf5db08884e76192d0bc9984c4
  • 4db38a097ae4d5e70b2f51a8ee13b0c1ee01a2a1
  • 5b70a853d8e989ad102d639fbf7636b697313abc
  • 76953e949ac54be8ff3a68794ef1419e9ef9afcb
  • 9784a1483b4586eb12d86e549d39ca4bb63871b8
  • da867188937698c7769861c72f5490cb9c3d4f63

FileHash-SHA256

  • b8ef1b0af5bf25a1736ef139e56c078c65ce025d3bfbfa156a4b20ba1b2aa74d

Domains

  • assetsqq[.]com
  • mkdmcdn[.]com
  • plugin-audiofirstpiece[.]ml
  • ssl-dns[.]com

Hostname

  • vv[.]ssl-dns[.]com

Mitigation and Prevention

User Awareness

While TheWizards bypass user interaction by hijacking trusted channels, user training remains relevant for potential phishing-based initial deployment of Spellbinder.

Email Filtering

Potential value only if Spellbinder is distributed via malicious attachments. Current evidence points to in-network propagation.

Antivirus Protection

Deploy robust EDR with the following behavioral detection focus:

  • DLL side-loading by signed executables
  • Use of WinPcap or Npcap
  • Process injection into system binaries
  • AMSI/ETW patching detection
  • Mutex Global<MD5(hostname)> creation

Two-Factor Authentication (2FA)

Does not mitigate AitM malware execution but remains essential for protecting exposed accounts.

Monitor Logs

  • DNS queries to known bad IPs
  • Unusual IPv6 RA broadcasts
  • Access to C2 IPs/domains

Regular Updates

Maintain OS and software updates to prevent potential pre-Spellbinder compromise vectors.

Risk Assessment

TheWizards APT poses a critical threat:

  • Exploits a rarely-monitored vector (IPv6 SLAAC)
  • Enables full AitM traffic control inside internal networks
  • Delivers persistent, memory-resident Windows malware
  • Expands scope to Android via shared infrastructure
  • Maintains high operational stealth

Their focus on gambling companies, Chinese-speaking individuals abroad, and possible state contractor relationships indicate a strategic alignment with China's law enforcement and intelligence mandates.

Conclusion

TheWizards represents a technically advanced and geopolitically aligned threat actor exploiting undersecured aspects of modern enterprise networks. Their continued use of IPv6 SLAAC spoofing to hijack software updates and deliver sophisticated dual-platform backdoors demonstrates not only the effectiveness of their strategy but also the pervasive neglect of IPv6 security in enterprise environments.

Organizations must stop treating IPv6 security as an optional future task and instead prioritise RA Guard, SAVI, and First-Hop Security configurations to neutralise the group’s core AitM strategy. Proactive monitoring, endpoint controls, and deep packet inspection of internal traffic are essential for early detection.

Entities in the gambling, financial services, and mobile sectors across Asia and the Middle East should treat this threat as an urgent security concern.

Sources: