| SYMBOL | COMMON_NAME | aka. SYNONYMS |
TheWizards is a China-aligned APT group that employs the Spellbinder tool for adversary-in-the-middle attacks, utilizing IPv6 SLAAC spoofing to redirect legitimate software updates to malicious servers. They have developed the WizardNet backdoor for Windows and serve DarkNights to Android applications, indicating a connection to Dianke Network Security Technology. The group targets individuals and companies in the Philippines, Cambodia, the UAE, mainland China, and Hong Kong. ESET has observed their infrastructure and tools, including the acquisition of servers for hosting C&C and malicious updates.
There are currently no families associated with this actor.
| 2025-04-30
⋅
ESET Research
⋅
TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks TheWizards |
| 2024-01-25
⋅
ESET Research
⋅
NSPX30: A sophisticated AitM-enabled implant evolving since 2005 NSPX30 ProjectWood Blackwood TheWizards |