ESET just unpacked a new toolkit used by a Chinese APT called TheWizards, and it’s a real case study in how attackers are evolving lateral movement and persistence—without needing a ton of flashy exploits.

The tool, dubbed Spellbinder, is designed for adversary-in-the-middle (AitM) attacks and lateral movement, and it does so by spoofing IPv6 SLAAC (stateless address auto-configuration). The goal? Intercept and redirect traffic from popular Chinese applications so that victims unknowingly download malicious updates from attacker-controlled servers.

Once that spoofed traffic lands, TheWizards deploy a downloader that fetches a modular backdoor called WizardNet. ESET says they saw this technique used in late 2024 to hijack Tencent QQ updates, silently delivering the malware straight into memory.

WizardNet isn’t overly complex, but it’s highly flexible. It can:

• Fetch and execute .NET modules
• Unload or invoke functions from those modules
• Upload client-side plugin assemblies
• Send system and environment info back to the attackers

What’s especially interesting is who’s behind it. TheWizards is linked to a Chinese firm called Dianke Network Security Technology (UPSEC), which has also been associated with DarkNimbus/DarkNights malware, previously attributed to another Chinese APT known as Earth Minotaur.

But ESET is clear: TheWizards and Earth Minotaur are separate threat actors. Even though they share some tooling, TheWizards has different targets, different infrastructure, and unique tooling, including Spellbinder and WizardNet.

The target geography gives us more insight into intent. TheWizards has focused on Cambodia, China, Hong Kong, the Philippines, and the UAE, signaling a regional espionage play with local infrastructure abuse.

Spellbinder uses WinPcap to capture and respond to network packets and can intercept traffic from major platforms like Baidu, Tencent, Xiaomi, Mango TV, and many others—injecting itself quietly into routine software communications.

This is the kind of toolkit that doesn’t rely on zero-days or loud intrusion methods. It’s about blending in, mimicking trusted behavior, and turning the software update process into an attack vector—a tactic we’re seeing more and more in advanced persistent threat activity.