TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems.
OPENCTI LABELS :
lateral movement,adversary-in-the-middle,software update hijacking,wizardnet,spellbinder,slaac spoofing
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks