TheWizards APT Casts a Spell on Asian Gamblers With Novel Attack - Dark Reading

Сloud SecurityCyberattacks & Data BreachesThreat IntelligenceEndpoint SecurityNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificTheWizards APT Casts a Spell on Asian Gamblers With Novel AttackA SLAAC-spoofing, adversary-in-the-middle campaign is hiding the WizardNet backdoor malware inside updates for legitimate software and popular applications.Tara Seals,Managing Editor, News,Dark ReadingApril 30, 20255 Min ReadSource: thanawong via Alamy Stock PhotoRSAC CONFERENCE 2025 – San Francisco – A Chinese advanced persistent threat (APT) known as TheWizards is conjuring "Spellbinder," a lateral movement tool that enables a unique adversary-in-the-middle (AitM) attack that hides malware in legitimate software update processes.According to research that ESET debuted this week at RSAC Conference 2025, Spellbinder enables IPv6 stateless address autoconfiguration (SLAAC) spoofing, a nearly 15-year-old known attack vector that allows TheWizards to intercept network packets and redirect traffic coming to and from legitimate Chinese applications installed on a target machine.The attackers then commandeer those update processes — which are still perceived as legitimate by some security tools — to deploy a downloader and eventually install their signature backdoor, WizardNet, according to the research.TheWizards is not the first Chinese APT to deploy this kind of attack (ESET flagged the Blackwood group for a similar campaign last year), but it's not a common vector, ESET head of threat research Jean-Ian Boutin tells Dark Reading. TheWizards campaign also stand out thanks to the discovery of Spellbinder, and the discovery of potential links to the Earth Minotaur APT.Related:Most Google Cloud Attacks Start With Bug ExploitationTargeting Gambling Companies & Gamblers for EspionageTheWizards, first seen in 2022, has been constantly active, mainly targeting gambling companies and their customers in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong, according to ESET. This campaign is no different, though Boutin says it's unclear what the motivations are for targeting the betting sector."We're not sure why TheWizards is pursuing the victims that they are, but they've been doing this consistently for at least two years," he says.The researchers originally noticed a popular Chinese software application known as Sogou Pinyin — named after a legitimate component of that software — downloading a suspicious DLL. It turns out that the DLL was a dropper that set off a multistep infection routine leading to WizardNet.In the latest campaigns, the researchers have uncovered the use of Spellbinder, which contains a hardcoded list of domains associated with several popular Chinese platforms, such as Tencent, Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi and Xioami’s Miui, PPLive, Meitu, Quihoo 360, Baofeng, and others."Our research led to the discovery of a tool, used by the attackers, that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates targeting legitimate Chinese software," according to the report. "One of the latest cases in 2024 … hijacked the update of Tencent QQ software."Related:'InstallFix' Attacks Spread Fake Claude Code SitesThe Spellbinder AitM attack in that case worked as follows:The legitimate software component QQ.exe sends an HTTP request to update.browser.qq.com.The Spellbinder tool intercepts the DNS query for that domain name and issues a DNS answer with the IP address of an attacker-controlled server used for hijacking the Tencent update mechanism.When the request is received by the hijacking server, it replies with instructions to download an archive containing a DLL downloader.The downloader in turn uses the WinSock API to connect via TCP to the attacker-controlled server and download an encrypted blob containing a loader shellcode and the WizardNet backdoor.The loader begins by attempting to use a well-known bypass for the AMSI mechanism that scans memory for malicious artifacts. Then, it disables Event Logging.It decrypts and runs the WizardNet payload."The final payload is a backdoor that we named WizardNet — a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine … thus extending its functionality on the compromised system," according to ESET.Related:VMware Aria Operations Bug Exploited, Cloud Resources at RiskChinese APT Connections: Links to the Earth Minotaur APTNotably, TheWizards has connections to another, better-known Chinese APT called Earth Minotaur.In December 2024, Trend Micro researchers flagged an Earth Minotaur campaign that used an exploit kit called Moonshine and the DarkNimbus malware for Android devices, aimed at compromising members of the Tibetan and Uyghur communities. Earlier in April, Five Eyes issued a report that warned that the APT’s campaign against those ethnic groups was growing in its ferocity. It also flagged a claim from Intelligence Online that identified an ostensibly legitimate Chinese company called Dianke Network Security Technology (UPSEC) as the supplier of the DarkNimbus malware.In the course of its recent analysis, ESET researchers fingerprinted DarkNimbus (which it calls DarkNights) as one of the tools that TheWizards uses to target mobile users in its ongoing campaign against gambling companies."While TheWizards uses a different backdoor for Windows (WizardNet), the hijacking server is configured to serve DarkNights [aka DarkNimbus] to updating applications running on Android devices," the researchers explained. "While we have not seen any victims in ESET telemetry, we managed to obtain a malicious update instruction for the Android version of Tencent QQ. … This indicates that Dianke Network Security is a digital quartermaster to TheWizards APT group."While both threat actors use DarkNights/DarkNimbus malware, "TheWizards has focused on different targets and uses infrastructure and additional tools (for example, Spellbinder and WizardNet) not observed to be used by Earth Minotaur," according to the research — which underscores an ongoing trend of disparate Chinese state-sponsored actors sharing tools and resources from third-party suppliers, and in some cases tag-teaming on their operations.In terms of defense, Boutin notes that ESET hasn't uncovered the initial access vector for deploying Spellbinder, but says that monitoring IPv6 traffic for unusual connection activity is a good indicator of compromise; otherwise, good endpoint security, including EDR or XDR, and keeping routers patched and up to date are good prophylactics. There are also known mitigations against SLAAC spoofing, including implementing Secure Neighbor Discovery (SEND)."TheWizards campaign is notable in the technological approaches it takes with abusing IPv6," Boutin said. "It's not something you see often in the wild; also, the similarities to the Earth Minotaur group are notable — getting corroboration on the toolset being used in the wild is always of interest."Read more about:DR Global Asia PacificAbout the AuthorTara SealsManaging Editor, News, Dark ReadingTara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.See more from Tara SealsMore InsightsIndustry ReportsFrost Radar™: Non-human Identity Solutions2026 CISO AI Risk ReportCybersecurity Forecast 2026The ROI of AI in SecurityThreatLabz 2025 Ransomware ReportAccess More ResearchWebinarsBuilding a Robust SOC in a Post-AI WorldRetail Security: Protecting Customer Data and Payment SystemsRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedSecuring Remote and Hybrid Work Forecast: Beyond the VPNAI-Powered Threat Detection: Beyond Traditional Security ModelsMore WebinarsEditor's ChoiceCybersecurity OperationsWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallWhy Stryker's Outage Is a Disaster Recovery Wake-Up CallbyJai VijayanMar 12, 20265 Min ReadWant more Dark Reading stories in your Google search results?2026 Security Trends & OutlooksThreat IntelligenceCybersecurity Predictions for 2026: Navigating the Future of Digital ThreatsJan 2, 2026Cyber RiskNavigating Privacy and Cybersecurity Laws in 2026 Will Prove DifficultJan 12, 2026|7 Min ReadEndpoint SecurityCISOs Face a Tighter Insurance Market in 2026Jan 5, 2026|7 Min ReadThreat Intelligence2026: The Year Agentic AI Becomes the Attack-Surface Poster ChildJan 30, 2026|8 Min ReadDownload the CollectionKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsBuilding a Robust SOC in a Post-AI WorldThurs, March 19, 2026 at 1pm ESTRetail Security: Protecting Customer Data and Payment SystemsThurs, April 2, 2026 at 1pm ESTRethinking SSE: When Unified SASE Delivers the Flexibility Enterprises NeedWed, April 1, 2026 at 1pm ESTSecuring Remote and Hybrid Work Forecast: Beyond the VPNTues, March 10, 2026 at 1pm ESTAI-Powered Threat Detection: Beyond Traditional Security ModelsWed, March 25, 2026 at 1pm ESTMore WebinarsWhite PapersAutonomous Pentesting at Machine Speed, Without False PositivesFixing Organizations' Identity Security PostureBest practices for incident response planningIndustry Report: AI, SOC, and Modernizing CybersecurityThe Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks.Explore More White PapersGISEC GLOBAL 2026GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills.📌 Book Your Space