By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
World of SoftwareWorld of SoftwareWorld of Software
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Search
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
Reading: Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder al Movement Tool
Share
Sign In
Notification Show More
Font ResizerAa
World of SoftwareWorld of Software
Font ResizerAa
  • Software
  • Mobile
  • Computing
  • Gadget
  • Gaming
  • Videos
Search
  • News
  • Software
  • Mobile
  • Computing
  • Gaming
  • Videos
  • More
    • Gadget
    • Web Stories
    • Trending
    • Press Release
Have an existing account? Sign In
Follow US
  • Privacy
  • Terms
  • Advertise
  • Contact
Copyright © All Rights Reserved. World of Software.
World of Software > Computing > Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder al Movement Tool
Computing

Chinese Hackers Abuse IPv6 SLAAC for AitM Attacks via Spellbinder al Movement Tool

News Room
Last updated: 2025/04/30 at 8:43 AM
News Room Published 30 April 2025
Share
SHARE

Apr 30, 2025Ravie LakshmananMalware / DNS Security

A China-aligned advanced persistent threat (APT) group called TheWizards has been linked to a lateral movement tool called Spellbinder that can facilitate adversary-in-the-middle (AitM) attacks.

“Spellbinder enables adversary-in-the-middle (AitM) attacks, through IPv6 stateless address autoconfiguration (SLAAC) spoofing, to move laterally in the compromised network, intercepting packets and redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers,” ESET researcher Facundo Muñoz said in a report shared with The Hacker News.

The attack paves the way for a malicious downloader that’s delivered by hijacking the software update mechanism associated with Sogou Pinyin. The downloader then acts as a conduit to drop a modular backdoor codenamed WizardNet.

This is not the first time Chinese threat actors have abused Sogou Pinyin’s software update process to deliver their own malware. In January 2024, ESET detailed a hacking group referred to as Blackwood that has deployed an implant named NSPX30 by taking advantage of the update mechanism of the Chinese input method software application.

Cybersecurity

Then earlier this year, the Slovak cybersecurity company revealed another threat cluster known as PlushDaemon that leveraged the same technique to distribute a custom downloader called LittleDaemon.

TheWizards APT is known to target both individuals and the gambling sectors in Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

Evidence suggests that the Spellbinder IPv6 AitM tool has been put to use by the threat actor since at least 2022. While the exact initial access vector used in the attacks is unknown at this stage, successful access is followed by the delivery of a ZIP archive that contains four different files: AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe.

The threat actors then proceed to install “winpcap.exe” and run “AVGApplicationFrameHost.exe,” the latter of which is abused to sideload the DLL. The DLL file subsequently reads shellcode from “log.dat” and executes it in memory, causing Spellbinder to be launched in the process.

“Spellbinder uses the WinPcap library to capture packets and to reply to packets when needed,” Muñoz explained. “It takes advantage of IPv6’s Network Discovery Protocol in which ICMPv6 Router Advertisement (RA) messages advertise that an IPv6-capable router is present in the network so that hosts that support IPv6, or are soliciting an IPv6-capable router, can adopt the advertising device as their default gateway.”

In one attack case observed in 2024, the threat actors are said to have utilized this method to hijack the software update process for Tencent QQ at the DNS level to serve a trojanized version that then deploys WizardNet, a modular backdoor that’s equipped to receive and run .NET payloads on the infected host.

Spellbinder pulls this off by intercepting the DNS query for the software update domain (“update.browser.qq[.]com”) and issuing a DNS response with the IP address of an attacker-controlled server (“43.155.62[.]54”) hosting the malicious update.

Cybersecurity

Another noteworthy tool in TheWizards’ arsenal is DarkNights, which is also called DarkNimbus by Trend Micro and has been attributed to another Chinese hacking group tracked as Earth Minotaur. That said, both clusters are being treated as independent operators, citing differences in tooling, infrastructure, and targeting footprints.

It has since emerged that a Chinese public security ministry contractor named Sichuan Dianke Network Security Technology Co., Ltd. (aka UPSEC) is the supplier of the DarkNimbus malware.

“While TheWizards uses a different backdoor for Windows (WizardNet), the hijacking server is configured to serve DarkNights to updating applications running on Android devices,” Muñoz said. “This indicates that Dianke Network Security is a digital quartermaster to TheWizards APT group.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Sign Up For Daily Newsletter

Be keep up! Get the latest breaking news delivered straight to your inbox.
By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Share This Article
Facebook Twitter Email Print
Share
What do you think?
Love0
Sad0
Happy0
Sleepy0
Angry0
Dead0
Wink0
Previous Article Scaling Financial Operations: Uber’s GenAI-Powered Approach to Invoice Automation
Next Article Free class: Discover iOS 18.5
Leave a comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Stay Connected

248.1k Like
69.1k Follow
134k Pin
54.3k Follow

Latest News

Astronomers spot ‘interstellar object’ speeding through solar system
News
The best phone to buy right now
News
Space as Infrastructure: Reimagining Connectivity with Spacecoin | HackerNoon
Computing
Age verification is coming to search engines in Australia
News

You Might also Like

Computing

Space as Infrastructure: Reimagining Connectivity with Spacecoin | HackerNoon

6 Min Read
Computing

A First Look at Zhixiaobao App: Can It Become Your AI Life Companion? · TechNode

4 Min Read
Computing

10 Timeboxing Apps to Plan Every Hour with Purpose |

32 Min Read
Computing

I Made Dall-E Transform Children’s Sketches Into Realistic Images | HackerNoon

15 Min Read
//

World of Software is your one-stop website for the latest tech news and updates, follow us now to get the news that matters to you.

Quick Link

  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact

Topics

  • Computing
  • Software
  • Press Release
  • Trending

Sign Up for Our Newsletter

Subscribe to our newsletter to get our newest articles instantly!

World of SoftwareWorld of Software
Follow US
Copyright © All Rights Reserved. World of Software.
Welcome Back!

Sign in to your account

Lost your password?