A Chinese state-backed hacker group known as TheWizards is using a covert tool named Spellbinder to launch dangerous IPv6 AitM attacks. These attacks rely on exploiting stateless address autoconfiguration (SLAAC)—a core IPv6 feature—to quietly take over network traffic.
According to cybersecurity firm ESET, Spellbinder allows attackers to impersonate a trusted router inside a network. Once in, they hijack update processes of popular Chinese apps like Sogou Pinyin, silently replacing them with malware from attacker-controlled servers. This clever redirection installs a modular backdoor known as WizardNet on the victim’s device.
Abusing IPv6 and Trusted Software to Spread Malware
This isn’t the first time Chinese hackers have turned Sogou Pinyin’s update system into a malware delivery channel. Earlier this year, other threat groups like Blackwood and PlushDaemon pulled off similar tricks. They used fake updates to install malware such as NSPX30 and LittleDaemon.
TheWizards group has been active since at least 2022. Their targets include individuals and businesses in regions such as Cambodia, Hong Kong, mainland China, the Philippines, and the UAE.
Although the entry method remains unclear, infections often start with a ZIP file that carries four components: AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe. Once inside, attackers install WinPcap and run the fake AVG file to trigger DLL sideloading. This process loads shellcode from log.dat and launches the Spellbinder tool in memory.
From there, Spellbinder monitors traffic using WinPcap. It replies to IPv6 discovery messages and tricks nearby systems into accepting it as their gateway. This redirection lets the attackers intercept traffic without triggering alerts.
In one case observed in 2024, Spellbinder was used to hijack the update domain for Tencent QQ. Instead of contacting the real server, the victim’s system received a fake IP address pointing to a server run by the attackers. This server delivered a tampered software update containing the WizardNet backdoor.
Malware Supply Chain Tied to China’s Public Security
Spellbinder isn’t the only weapon in TheWizards’ toolkit. They also use DarkNights, an Android-focused backdoor known as DarkNimbus by Trend Micro. Interestingly, this tool is linked to a different group—Earth Minotaur—though researchers believe they operate independently.
What connects these tools is their likely supplier. Investigators traced DarkNights to Sichuan Dianke Network Security Technology Co., Ltd., also known as UPSEC. This company is a known contractor for China’s Ministry of Public Security.
ESET researchers say this points to a “digital quartermaster” setup. In other words, Chinese government contractors may be building tools that multiple hacker groups reuse. TheWizards, for example, prefer WizardNet for Windows, but the same hijacking servers serve DarkNights to Android apps.
This shared infrastructure shows how China’s cyber operations rely not just on technical skill, but on a growing ecosystem of private vendors feeding the state’s hacking machine.
