Summary:
Back in 2022, cybersecurity researchers discovered an advanced threat group, now known as TheWizards, that has been carrying out targeted attacks using a set of custom tools designed to hijack software updates and spy on victims. One of their tools, called Spellbinder, uses a technique called SLAAC spoofing to perform adversary-in-the-middle (AitM) attacks over IPv6 networks. This lets attackers intercept and modify network traffic, tricking legitimate apps—like popular Chinese software—into downloading malicious updates instead of real ones.

Once those updates are installed, a special backdoor called WizardNet is loaded onto the victim’s device. This malware gives the attacker full control over the infected machine, allowing them to load new tools, steal sensitive data, and even inject code into running processes. In some cases, TheWizards also pushed malware to Android devices, showing that they are capable of targeting multiple platforms at once.

Security Officer Comments:
The tools used in this campaign are stealthy, technically advanced, and designed for long-term surveillance. The group’s tactics include abusing legitimate software components, hiding malware directly in memory to avoid detection, and crafting fake update responses that trick popular software into downloading malicious files from attacker-controlled servers.

Based on observed activity, the group—referred to as TheWizards—appears to focus on targets in Asia and the Middle East, including individuals, businesses in the gambling industry, and unspecified organizations in countries like the Philippines, Cambodia, China, Hong Kong, and the UAE. Their motives seem to include espionage, data theft, and the ability to silently maintain access to compromised networks over long periods. By hijacking trusted software update channels, the attackers are able to blend in with normal network activity, making their presence extremely difficult to detect.

Suggested Corrections:
Monitor network traffic for unusual DNS and IPv6 activity, especially in environments where IPv6 is enabled but not strictly managed.

Use endpoint security solutions that can detect memory-based attacks, code injection, and suspicious process behavior.

Deploy tools that offer network-based threat detection, including the ability to catch AitM techniques and packet tampering.

Regularly audit software update mechanisms, especially for widely used applications, to ensure updates are being pulled from trusted sources.

Implement network segmentation and access controls to reduce lateral movement opportunities in case of a breach.

Stay involved in information-sharing communities that track threat actors, indicators of compromise (IoCs), and malware trends, to stay ahead of emerging threats.

Organizations that detect unusual update behavior, DNS hijacking, or unauthorized IPv6 traffic should consider performing a deeper investigation. Collaboration with threat intelligence teams or incident response providers can help contain and analyze advanced threats like this.

Link(s):
https://www.welivesecurity.com/en/e...aac-spoofing-adversary-in-the-middle-attacks/