A China-aligned advanced persistent threat (APT) group known as “TheWizards” has been identified as exploiting vulnerabilities in the IPv6 networking protocol to execute adversary-in-the-middle (AitM) attacks, effectively hijacking software updates to deploy malicious Windows software. This alarming development comes from ESET, which reports that TheWizards have been active since at least 2022, targeting diverse entities across regions including the Philippines, Cambodia, the United Arab Emirates, China, and Hong Kong.
The core of their operation involves a custom tool named “Spellbinder,” which leverages the IPv6 Stateless Address Autoconfiguration (SLAAC) feature to conduct SLAAC attacks. SLAAC allows devices to automatically configure their own IP addresses without a DHCP server, utilizing Router Advertisement (RA) messages. TheWizards’ tool sends out spoofed RA messages, resulting in nearby systems automatically adopting new IPv6 addresses and gateways controlled by the attackers.
Once on the network, Spellbinder maliciously masquerades as a legitimate component, deploying alongside an archive named AVGApplicationFrameHostS.zip. This archive extracts contents that imitate trusted software, placing crucial components like avgApplicationFrameHost.exe and wsc.dll into mimicked directories, such as “%PROGRAMFILES%\AVG Technologies.” The WinPcap executable within this setup is likewise exploited to execute the malicious DLL that loads Spellbinder into system memory.
After gaining a foothold, Spellbinder captures and scrutinizes network traffic and redirects connections targeting specific software update domains associated with companies like Tencent and Xiaomi to malicious versions of the updates. The malware installs a backdoor known as “WizardNet,” which grants persistent access to compromised devices, thereby facilitating further malicious activities. To mitigate risks, ESET advises organizations to closely monitor IPv6 traffic or disable the protocol if unnecessary.