Full Report
ESET researchers analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks
Analysis Summary
# Threat Actor: TheWizards
## Attribution & Identity
* **Attribution:** China-aligned threat actor.
* **Known Associations:** Linked to the Chinese company Dianke Network Security Technology, also known as UPSEC.
* **Aliases:** Named by ESET researchers.
## Activity Summary
TheWizards has been active since at least 2022 and utilizes sophisticated lateral movement tools to conduct network attacks. A key observation involved the deployment of a malicious DLL via legitimate Chinese software update mechanisms, specifically noted with the popular Chinese input method software **Sogou Pinyin** in 2022. This DLL acts as a dropper for a downloader, which subsequently retrieves and loads the group's signature backdoor, **WizardNet**. The deployment of the lateral movement tool, **Spellbinder**, is used to execute Adversary-in-the-Middle (AitM) attacks to intercept traffic and redirect updates from legitimate software to attacker-controlled servers. New versions of Spellbinder were observed being deployed in 2023 and 2024.
## Tactics, Techniques & Procedures
| Category | Tactic/Description | MITRE ATT&CK ID(s) |
| :--- | :--- | :--- |
| **Initial Access/Execution (Implied)** | Malicious DLL deployed via legitimate software update mechanisms (Sogou Pinyin). | - |
| **Defense Evasion** | WizardNet creates a mutex to prevent other instances from running. | [T1112](https://attack.mitre.org/versions/v16/techniques/T1112) |
| **Persistence/Defense Evasion** | An unknown component stores encrypted shellcode in the registry. | [T1112](https://attack.mitre.org/versions/v16/techniques/T1112) |
| **Obfuscation** | Downloader and shellcode dynamically resolve API addresses. | [T1027.007](https://attack.mitre.org/versions/v16/techniques/T1027/007) |
| **Obfuscation** | Shellcode contains WizardNet in encrypted form. | [T1027.009](https://attack.mitre.org/versions/v16/techniques/T1027/009) |
| **Obfuscation** | The file `log.dat` contains polymorphic decryption code that loads Spellbinder into memory. | [T1027.014](https://attack.mitre.org/versions/v16/techniques/T1027/014) |
| **Defense Evasion/Execution** | WizardNet injects shellcode into another process. | [T1055](https://attack.mitre.org/versions/v16/techniques/T1055/004) |
| **Defense Evasion/Execution** | Uses QueueUserApc API to execute injected code (Process Injection related). | [T1055.004](https://attack.mitre.org/versions/v16/techniques/T1055/004) |
| **Discovery** | Security Software Discovery: Checks running processes against a list of security solutions. | [T1518.001](https://attack.mitre.org/versions/v16/techniques/T1518/001) |
| **Discovery** | System Information Discovery (obtains computer name, uptime, OS name). | [T1082](https://attack.mitre.org/versions/v16/techniques/T1082) |
| **Discovery** | System Time Discovery. | [T1124](https://attack.mitre.org/versions/v16/techniques/T1124) |
| **Command and Control** | Ingress Tool Transfer (WizardNet can deploy new modules from C&C). | [T1105](https://attack.mitre.org/versions/v16/techniques/T1105/) |
| **Command and Control** | Uses TCP and UDP protocols for C&C communication. | [T1095](https://attack.mitre.org/versions/v16/techniques/T1095/) |
| **Command and Control** | Communication via TCP or UDP is encrypted with AES. | [T1573.001](https://attack.mitre.org/versions/v16/techniques/T1573/001/) |
| **Lateral Movement** | Adversary-in-the-Middle (AitM) attack using IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing to redirect traffic. | - |
| **Execution** | Abuse of legitimate AVG components (`AVGApplicationFrameHost.exe` side-loading `wsc.dll`) to execute shellcode from `log.dat`. | - |
## Targeting
* **Sectors:** Individuals, gambling companies.
* **Geography:** Philippines, Cambodia, United Arab Emirates, mainland China, and Hong Kong.
* **Victims:** Unknown entities, specific references to targeting users of legitimate Chinese software (e.g., Sogou Pinyin).
## Tools & Infrastructure
* **Malware families used:**
* **Spellbinder:** Lateral movement tool, performs AitM attacks via IPv6 SLAAC spoofing.
* **WizardNet:** Modular backdoor deployed after successful compromise.
* **Infrastructure (Deployment/Initial Stage):**
* Routine for deployment involves an archive named `AVGApplicationFrameHostS.zip` dropped into `%PROGRAMFILES%\\AVG Technologies`.
* Files used: `AVGApplicationFrameHost.exe`, `wsc.dll`, `log.dat`, `winpcap.exe`.
* Uses **WinPcap** library for packet capture and interception.
* **Infrastructure (C2):**
* WizardNet communicates via TCP/UDP, encrypted using AES.
## Implications
TheWizards demonstrates a high level of sophistication, blending state-level-style data exfiltration tools (WizardNet) with advanced, low-level network manipulation techniques (Spellbinder's IPv6 SLAAC spoofing AitM). The reliance on abusing update mechanisms of popular legitimate Chinese software for initial deployment suggests a targeted supply-chain vector toward users of these specific applications. Their persistent activity since 2022 indicates a dedicated and well-resourced operation.
## Mitigations
* **Network Monitoring:** Implement monitoring for anomalous ICMPv6 Router Advertisement (RA) packets on the internal network, which could indicate SLAAC spoofing attempts.
* **Software Integrity:** Employ controls to ensure software updates originate only from trusted, verified publishers and network locations; scrutinize behavior when legitimate update modules execute (e.g., side-loading).
* **Host Security:** Ensure defense mechanisms detect dynamic API resolution, code injection techniques (APC queue usage), and process behavior indicative of execution from volatile memory (`log.dat` contents).
* **IPv6 Configuration:** Harden IPv6 configurations to prevent rogue router advertisements, such as implementing router source address validation (RSV) or disabling SLAAC if IPv6 is not strictly required.
* **Endpoint Detection:** Configure EDR/AV to flag the described file abuse pattern involving AVG-related executables (`AVGApplicationFrameHost.exe`) dropping malicious DLLs or executing shellcode.