Chinese Group TheWizards Exploits IPv6 to Drop WizardNet Backdoor

ESET has discovered Spellbinder, a new tool used by the China-linked cyber espionage group TheWizards to conduct AitM attacks and spread their WizardNet backdoor via manipulated software updates.

A sophisticated cyber espionage operation, linked to China and active since at least 2022, has been exposed by security researchers at ESET. The group dubbed TheWizards by ESET stands out for its innovative method of infiltrating computer networks. Reportedly, it employs a custom tool, named Spellbinder, to conduct adversary-in-the-middle (AitM) attacks, to deliver a sophisticated backdoor dubbed WizardNet by ESET.

ESET’s in-depth analysis, detailed in a recent blog post, reveals that Spellbinder manipulates network traffic via IPv6 SLAAC (stateless address autoconfiguration) spoofing, effectively intercepting legitimate Chinese software updates and redirecting them to attacker-controlled servers to deliver WizardNet.

WizardNet is a sophisticated, modular backdoor capable of receiving and executing further malicious modules from a remote C2 server. This allows TheWizards to perform a wide range of malicious activities on compromised systems.

Reportedly, after gaining initial access, attackers deploy a specific archive which, through a process called side-loading, ultimately executes Spellbinder’s malicious code. Spellbinder, evolving since its 2022 analysis, uses WinPcap to capture packets and exploits IPv6’s Network Discovery Protocol by sending crafted ICMPv6 Router Advertisement (RA) messages. T

his tricks victims into using the attacker’s machine as the gateway, enabling traffic interception. It then monitors DNS queries for targeted Chinese platforms like Tencent, Baidu, and Xiaomi, generating fake DNS responses and directing victims to attacker-controlled IPs (e.g., 43.155.1167 in 2022, 43.155.6254 in 2024) serving malicious updates.

A notable instance involved hijacking legitimate update requests for Tencent QQ software by Spellbinder in 2024, directing the software to download a malicious archive from the attacker’s server. This archive contained a harmful component that, upon execution, installed the WizardNet backdoor.

ESET’s telemetry indicates that TheWizards have been actively targeting entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. The targets range from individuals to gambling companies and other currently unknown entities.

The initial discovery involved Sogou Pinyin (a widely used Chinese input method software) downloading WizardNet. This follows a pattern of abuse targeting Sogou Pinyin’s update process. In January 2024, as detailed by ESET, the hacking group Blackwood utilized this method to deploy an implant named NSPX30.

Furthermore, earlier in 2025, the Slovak cybersecurity firm revealed another threat group known as PlushDaemon that also leveraged the same technique to distribute a custom downloader called LittleDaemon.

As detailed in their report, researchers observed potential links between TheWizards and a Chinese company Sichuan Dianke Network Security Technology (UPSEC) through the analysis of the Android malware DarkNights (DarkNimbus).

Despite TheWizards primarily using WizardNet on Windows, their infrastructure served DarkNights as a malicious update for Android Tencent QQ.

Such sophisticated manipulation of trusted update mechanisms highlights the persistent and evolving threat from state-aligned cyber espionage and the ongoing need for improving security measures and caution against these threats.