TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
TheWizards, a China-aligned threat actor, employs Spellbinder, a lateral movement tool that enables adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows the group to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The attackers deploy their custom backdoor, WizardNet, which can load additional modules and gather system information. TheWizards targets individuals, gambling companies, and other entities in several Asian countries and the UAE. The group is linked to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), known for supplying malware to other threat actors. TheWizards' sophisticated toolset and tactics demonstrate their advanced capabilities in compromising networks and evading detection.
OPENCTI LABELS :
china,lateral movement,adversary-in-the-middle,software update hijacking,wizardnet,spellbinder,slaac spoofing,darknights
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks