Full Report
ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM…
Analysis Summary
# Threat Actor: TheWizards
## Attribution & Identity
**Identification:** Chinese state-sponsored threat group.
**Known Aliases and Associated Groups:** TheWizards.
## Activity Summary
The primary activity detailed is the exploitation of IPv6 networks to deploy the custom backdoor, WizardNet. The article focuses on a specific modern technique (IPv6 exploitation) used by this actor.
## Tactics, Techniques & Procedures
- **Exploiting IPv6:** Utilizing the IPv6 protocol for operational activity.
- **Backdoor Deployment:** Dropping the custom malware known as WizardNet.
- [No specific MITRE ATT&CK IDs were provided in the source material.]
## Targeting
- **Sectors:** Not explicitly detailed, but context suggests targets accessible via IPv6 infrastructure.
- **Geography:** Unknown/Not specified beyond being a Chinese group.
- **Victims:** Specific victims were not mentioned in the provided text.
## Tools & Infrastructure
- **Malware families used:** WizardNet (a custom backdoor).
- **Infrastructure (C2, domains, IPs):** Not specified, though the technique relies on using IPv6 traffic pathways.
## Implications
The group is utilizing modern networking protocols (IPv6) for covert operations, indicating an effort to bypass traditional security controls that might be primarily focused on IPv4 monitoring. This suggests the actor is persistent and adapting its infrastructure for stealth.
## Mitigations
- Implement comprehensive monitoring and detection capabilities for IPv6 traffic, as this protocol is being leveraged for command and control or initial intrusions.
- Ensure network security policies are consistently applied across both IPv4 and IPv6 environments to prevent exploitation techniques leveraging under-monitored protocols.