TheWizards APT Targets Asian Gamblers with Advanced Attack Techniques

Listen to this Post

Featured Image
A new wave of cyberattacks is sweeping across Asia, with the notorious Chinese advanced persistent threat (APT) group, TheWizards, focusing its efforts on gambling companies and their customers. This latest campaign, revealed at the RSAC Conference 2025, showcases a novel attack tool dubbed Spellbinder. Unlike other cyber threats, Spellbinder leverages a rare adversary-in-the-middle (AitM) technique to inject malware into legitimate software updates, making it a sophisticated and hard-to-detect threat.

The campaign primarily targets the gambling sector, but experts remain unsure of the group’s ultimate motivations. However, the use of unique tactics such as IPv6 SLAAC (Stateless Address Autoconfiguration) spoofing and the strategic use of well-known Chinese software applications for malware distribution have drawn considerable attention. As a result, TheWizards continues to evolve its toolkit, blurring the lines between cyber espionage and data theft.

TheWizards’ Latest Campaign

In their most recent campaign, TheWizards group, active since 2022, continues to target gambling companies, focusing on regions such as the Philippines, Cambodia, the UAE, China, and Hong Kong. The attackers employ a series of complex techniques, including SLAAC-spoofing, to hijack legitimate software update processes. These updates, commonly associated with well-known Chinese software, are perceived as safe by many security tools, allowing the malware to spread undetected.

The group utilizes Spellbinder, a lateral movement tool, to intercept network traffic and redirect it through attacker-controlled servers. This technique enables them to deploy a downloader, which eventually installs their signature backdoor, WizardNet. The WizardNet malware is a modular implant that provides the attackers with remote access to compromised systems.

Interestingly, TheWizards has been linked to another Chinese APT group, Earth Minotaur. While both groups share similar tools, their targets differ. Earth Minotaur primarily focuses on ethnic groups such as Tibetans and Uyghurs, while TheWizards remains concentrated on the gambling sector. The overlap between the two groups’ toolsets, such as the use of the DarkNimbus malware (also known as DarkNights), highlights a growing trend of Chinese state-sponsored actors pooling resources and working in tandem.

The latest attacks have also brought attention to how outdated or misconfigured network defenses, such as poorly monitored IPv6 traffic, can lead to severe vulnerabilities. For organizations in affected sectors, maintaining robust endpoint security and ensuring routers and network devices are kept up to date are vital strategies for mitigation.

What Undercode Says:

This new attack by TheWizards highlights a crucial shift in cyberattack tactics, moving away from traditional methods like phishing or drive-by downloads to more sophisticated techniques like adversary-in-the-middle (AitM) attacks. By hijacking legitimate software update processes, TheWizards exploits a significant blind spot in many cybersecurity strategies.

The use of SLAAC spoofing is particularly concerning because it exploits an attack vector that has been around for nearly 15 years, yet it remains underutilized by most attackers. This is a reminder of how cybercriminals can revisit and revamp old tactics with new tools, making previously mitigated vulnerabilities relevant again. In this case, by intercepting traffic intended for legitimate Chinese applications, TheWizards can silently redirect and deliver their malware.

The fact that the attackers have been successful in remaining undetected for such an extended period also raises questions about the effectiveness of endpoint detection and response (EDR) solutions. While some tools may flag suspicious DLL downloads or unusual network traffic, the attackers’ ability to hide within otherwise legitimate processes demonstrates the limits of many modern defenses.

Moreover, the connection between TheWizards and Earth Minotaur should raise alarm bells for cybersecurity professionals. The merging of tactics and tools across different Chinese APT groups points to a more coordinated and resource-rich threat environment. This suggests a growing sophistication in state-sponsored cyber operations, where resources are pooled to target high-value industries like gambling, which may involve large financial transactions and sensitive data.

From a defense perspective,

Fact Checker Results:

  • Attack Vector Validity: The claim that SLAAC spoofing is an uncommon but legitimate attack vector is accurate. It remains a niche method but is gaining attention due to its potential for network hijacking.
  • Tool and Malware Analysis: The identification of Spellbinder and WizardNet as unique tools associated with TheWizards is supported by available research from ESET and other cybersecurity firms.
  • Target Sector: The focus on gambling companies is confirmed, with notable reports from cybersecurity research firms highlighting ongoing attacks in this sector.

Prediction:

Looking forward, it’s likely that we will see an increase in similar AitM attacks, as more APT groups recognize the effectiveness of hijacking legitimate software update processes. The growing overlap between various Chinese APT groups, such as TheWizards and Earth Minotaur, may also suggest more coordinated efforts targeting different industries across the globe. Organizations in sectors like finance, healthcare, and entertainment should prepare for these advanced tactics by investing in more sophisticated monitoring tools and better network security protocols.

With IPv6 vulnerabilities increasingly being exploited, it’s also possible that future attacks will pivot to target this underexplored attack surface more frequently. As APTs adapt to these shifts, the need for continuous innovation in cybersecurity defenses becomes ever more crucial.

References:

Reported By: www.darkreading.com
Extra Source Hub:
https://www.linkedin.com
Wikipedia
Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram