A China-aligned hacking group known as “TheWizards” is using a clever method to spread malware by taking advantage of a little-known IPv6 network feature. Security researchers at ESET have been tracking this group since at least 2022.
Their targets include individuals and organizations in countries like the Philippines, Cambodia, UAE, China, and Hong Kong, with a focus on sectors like online gambling.
The hackers are using a custom tool called “Spellbinder”, which abuses a feature in IPv6 called SLAAC (Stateless Address Autoconfiguration). Normally, SLAAC helps devices set up their own IP addresses automatically on a network without needing help from a central server. But TheWizards are turning this helpful feature into a way to hijack network traffic.
By sending out fake router messages, Spellbinder tricks nearby Windows devices into connecting to a gateway controlled by the attackers. This lets them intercept and monitor internet traffic—a technique known as an Adversary-in-the-Middle (AitM) attack.
The malware is usually spread through a ZIP file named “AVGApplicationFrameHostS.zip”, which creates a fake AVG antivirus folder. Inside it are a mix of legitimate and malicious files, including a real copy of WinPcap. This tool is used to secretly load the malware into the system memory.
Once active, Spellbinder listens for connections to popular Chinese software update servers like Tencent, Baidu, Xiaomi, iQIYI, and others. When it spots a device trying to update one of these programs, it redirects the traffic to download fake updates instead. These updates contain a backdoor named “WizardNet”, which gives hackers long-term access to the system and lets them install more malware as needed.
To defend against this kind of attack, experts recommend either monitoring IPv6 traffic closely or disabling IPv6 entirely if your network doesn’t use it.
