TheWizards, a China-aligned APT group, uses a tool named Spellbinder to conduct adversary-in-the-middle (AitM) attacks, primarily through IPv6 SLAAC spoofing. This method allows the group to hijack legitimate software updates from Sogou Pinyin, redirecting users to malicious content. The primary payload is a downloader that installs a modular backdoor known as WizardNet. This tactic mirrors previous attacks by other Chinese groups utilizing Sogouâs update mechanism, demonstrating a persistent threat in various sectors across Southeast Asia and UAE since at least 2022.
Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration spoofing, to move laterally in the compromised network, intercepting packets.
This is not the first time Chinese threat actors have abused Sogou Pinyin's software update process to deliver their own malware.
Collection
[
|
...
]