At RSAC 2025, researchers from ESET exposed an alarming new tactic by a Chinese advanced persistent threat (APT) group known as TheWizards. The group has developed a tool called Spellbinder, which enables a unique adversary-in-the-middle (AitM) attack by exploiting IPv6 SLAAC spoofing, a known but rarely used attack vector.
In this campaign, Spellbinder intercepts DNS queries from popular Chinese software such as Tencent QQ, Sogou Pinyin, and others. It then redirects the update traffic to attacker-controlled servers, where malicious payloads are served in place of legitimate updates. The key malware delivered includes a modular Windows backdoor named WizardNet, and in mobile cases, the Android malware DarkNights (also known as DarkNimbus).
“TheWizards hijack trusted software update channels to deliver backdoors disguised as routine updates, allowing them to stay under the radar of traditional endpoint detection tools,” said ESET’s Jean-Ian Boutin.
Targets: Gambling Sector, Android Devices & Chinese Platforms
The campaign has been actively targeting gambling companies and their customers in Southeast Asia (Philippines, Cambodia), the UAE, and mainland China since at least 2022. While the motivation behind targeting the gambling industry remains unclear, the persistence and scope of operations suggest espionage or surveillance objectives.
The malicious update delivery mechanism is particularly dangerous because it:
-
Spoofs trusted IPv6 addresses to gain access
-
Serves malware through hijacked DNS responses
-
Delivers encrypted payloads, bypassing memory scanning tools like AMSI
-
Disables Windows Event Logging, leaving minimal forensic traces
One recent case involved the update mechanism of Tencent QQ, where Spellbinder intercepted a request to update.browser.qq.com, replaced it with an attacker’s server, and delivered a DLL downloader, leading to the installation of WizardNet.
ALSO READ: “DFIR Capability Maturity Assessment Framework” by ALGORITHA
On mobile devices, a similar hijack chain ends with the deployment of DarkNights, linked to surveillance operations against ethnic minorities and previously attributed to another Chinese APT, Earth Minotaur.
APT Crossovers: Connections to Earth Minotaur & Shared Digital Infrastructure
ESET’s research also identified overlaps between TheWizards and another known Chinese APT group, Earth Minotaur — infamous for targeting the Tibetan and Uyghur communities using Android spyware like DarkNimbus. The Dianke Network Security Technology (UPSEC) firm, previously flagged as the supplier of DarkNimbus, is believed to be a common “digital quartermaster” between these APTs.
While the Windows payloads differ (WizardNet for TheWizards vs. Moonshine/DarkNimbus for Earth Minotaur), the use of common infrastructure and overlapping tools points to a broader ecosystem of malware-as-a-service operating within Chinese cyber-espionage circles.
“TheWizards campaign is notable not only for its advanced abuse of IPv6 traffic, but also for the way it highlights tool-sharing among Chinese APTs,” Boutin said.
Defense and Mitigation: How to Detect and Prevent Spellbinder Attacks
Though ESET hasn’t identified the initial infection vector for Spellbinder, they recommend the following defense strategies:
-
Monitor IPv6 traffic for unusual DNS resolutions and SLAAC spoofing activity
-
Implement Secure Neighbor Discovery (SEND) to protect against IPv6 spoofing
-
Use EDR/XDR tools that detect behavioral anomalies, not just known signatures
-
Ensure software update channels are verified and encrypted (HTTPS)
-
Regularly patch routers and networking equipment to prevent hijack attempts
The emergence of Spellbinder underscores the need to expand visibility into IPv6-based attacks, which remain under-monitored compared to IPv4. As attackers continue to abuse legitimate software supply chains, defenders must ensure robust endpoint visibility and network segmentation.
