ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East
Geographical distribution of the victims
ESET discovered and analyzed both Spellbinder and WizardNet, tools used by the China-aligned TheWizards APT group.
Spellbinder is used by the TheWizards to conduct local adversary-in-the-middle attacks and to redirect traffic from updating applications to an attacker-controlled server.
That server delivers WizardNet, TheWizards' signature backdoor, which is being deployed by legitimate Chinese software update mechanisms to victims' machines.
ESET also details the links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
SAN DIEGO, April 30, 2025 (GLOBE NEWSWIRE) -- ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet.
TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong.
'We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,' says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. 'Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,' explains Muñoz.
The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system.
TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices.
For a more detailed analysis and technical breakdown of TheWizards' tools, check out the latest ESET Research blogpost 'TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks' on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/e64e1152-5dee-4ed7-ad08-e0d87d089a16
CONTACT: Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Yahoo
35 minutes ago
- Yahoo
SPEC Resumes Global Collaboration with Companies on U.S. BIS Entity List
SPEC successfully advocates for change to U.S. law re-enabling inclusive benchmark development GAINESVILLE, Va., June 04, 2025 (GLOBE NEWSWIRE) -- Standard Performance Evaluation Corp. (SPEC), the trusted leader in computing benchmarks, announced today that SPEC International Standards Group (ISG) successfully advocated that the United States clarify export policies to allow companies on the Bureau of Industry and Security (BIS) Entity List to participate in creating standards. SPEC ISG invites the return of member companies excluded from collaborating due to policy reasons, bringing together the strength of industry, academia, and research from all over the world to cooperate on future computing energy efficiency standards. A few years ago, in order to ensure the safe application of 5G technology, the US government stipulated that US agencies should not cooperate with companies on the BIS Entity List. This ban was never intended to restrict the development of global standards. However, due to the overly strict definition of the term "standard" in the original exemption clause of BIS, the SPEC SERT suite was classified as a restricted technology, which prevented SPEC (an international standards organization with 12 Chinese member companies) from continuing to develop standards with its members on the Entity List. Harmonized standards are best suited to consistent design and regulatory requirements, resulting in significant cost reduction for manufacturers to meet additional benchmark requirements worldwide. SPEC President David Reiner said: "Restricting companies on the Entity List from participating in the development of energy efficiency benchmarks risks dividing the global standards process, negating the primary goal of standardization. Through years of hard work, in collaboration with other international organizations, we are pleased to have successfully promoted changes to U.S. policies to remove the unintended restrictions on the development of international standardized benchmarks.' SPEC successfully advocated changes to U.S. rules In 2020, the U.S. Department of Commerce's BIS changed its rules to allow U.S. companies to work in standards organizations to ensure U.S. proposals take full account of international standards that underlie product development and interoperability. While this was an important milestone, the change did not allow SPEC to invite Entity List businesses that were among its former members to re-join, nor to invite other entities on the Entity List to join. In response, SPEC took a series of actions to advocate for the revision of relevant U.S. laws and to promote international technology exchanges and innovation. As part of these efforts, SPEC created the International Standards Group (ISG), specifically designed to comply with the updated BIS requirements and provide a clear separation between SPEC's international standards work and other SPEC projects. As a result of SPEC's successful efforts, BIS improved regulations in late 2022. Under the final regulations, organizations on the BIS Entity List are no longer restricted from licensing, obtaining updates, or participating in the development of the SPEC SERT Suite within the SPEC ISG. These standards development activities related to the implementation, promulgation, or maintenance of the ISO/IEC 21836:2020 standard qualify for the BIS updated standards-related activities exemption. As a result, BIS listed entities are now able to obtain SPEC SERT Suite licenses, updates, and membership status in the SPEC ISG Server Efficiency Committee. The return of excluded members is critical because it will enable SPEC to continue to promote effective global standardized benchmarks and apply them to government energy efficiency regulations. The successful adoption of SPEC SERT suites by government regulations such as China National Institute of Standardization, EU Lot9 Ecodesign, Japan's Ministry of Economy, Trade and Industry, and the U.S. EPA Energy Star is critical to SPEC's efforts to promote sustainable technology development around the world. For example, computer servers that are ENERGY STAR certified are, on average, about 38% more energy efficient than standard servers. This means that if all computer servers sold in the United States were ENERGY STAR certified, end users would save more than $4 billion per year. The next-generation energy efficiency rating tool is currently under development by the SPEC ISG Server Committee, which includes representatives from Ampere, AMD, Dell, HPE, IBM, Intel, IEIT, Microsoft, Nvidia, and the University of Würzburg. The SERT 3 Suite utilizes the SPECpower Committee's innovative modular architecture, allowing streamlined integration of the latest versions of the Chauffeur benchmark harness and the PTDaemon Interface, which are also utilized by other SPEC benchmarks. This modular design reduces the time required for developing future workloads, adding new architectures, and supporting new power analyzers and temperature sensors. Klaus-Dieter Lange, Chair of SPEC ISG, said: "We are pleased that SPEC was able to successfully work with the U.S. Department of Commerce to find a solution to this critical issue. We welcome the world's innovative companies to join in the development of the next-generation SPEC SERT Suite, which will enable governments and businesses to more effectively achieve sustainable development and carbon emission reduction goals." About SPEC SPEC is a non-profit organization that establishes, maintains and endorses standardized benchmarks and tools to evaluate performance for the newest generation of computing systems. Its membership comprises more than 120 leading computer hardware and software vendors, educational institutions, research organizations and government agencies worldwide. Media contact: Brigit Valencia360.597.4516brigit@ and SERT® are trademarks of the Standard Performance Evaluation Corporation. All other product and company names herein may be trademarks of their registered while retrieving data Sign in to access your portfolio Error while retrieving data Error while retrieving data Error while retrieving data Error while retrieving data
Yahoo
40 minutes ago
- Yahoo
Why Shares of Pony AI Stock Were Up More Than 100% Last Month
Pony AI is developing self-driving technology and just partnered with Uber Technologies. The company is barely generating any revenue and is losing a lot of money. The stock looks like a high-risk purchase for investors right now. 10 stocks we like better than Pony Ai › Shares of Pony AI (NASDAQ: PONY) soared 112% in May, according to data from S&P Global Market Intelligence. The upstart is trying to bring self-driving and autonomous vehicle technology to the masses, with a focus on the Chinese market. It has a market cap of $4.67 billion but minimal sales and huge operating losses. However, investors are betting big on the potential future for this self-driving disrupter as it signs many partnerships with companies like Uber. Here's why Pony AI stock was flying high in May. Pony AI is developing autonomous vehicle technology to be deployed on robotaxis, trucks, and everyday owned vehicles. It is focused on large cities in China, such as Shenzhen and Beijing. Shares soared last month because of partnership announcements with Uber and Tencent Holdings. Uber is now a strategic partner with Pony AI and hopes to deploy the technology for ridesharing in a Middle East market shortly. The Tencent partnership is with Tencent Cloud. In the early stages of its business model, Pony AI generated just $14 million in revenue last quarter and a measly $2.3 million in gross profit. On this revenue, it had a $56 million operating loss due to the heavy spending it is implementing on research and development costs. Building self-driving technology is not cheap. The company does have over $500 million in cash on the balance sheet, but that money will run out quickly at its current burn rate. Betting on Pony AI at a market cap of $4.67 billion does not seem wise. It is barely generating any sales and is working in a wildly difficult market in self-driving technology. Plus, it operates in China, an opaque market for Western investors. This adds up to a ton of risks for the stock. Even if the company keeps scaling with partnerships, it may be years before its revenue and earnings align with what a $4.67 billion market cap demands. For investors interested in self-driving, look at Waymo, a subsidiary of Alphabet. The service is now doing over 250,000 paid weekly trips, which dwarfs anything Pony AI has been able to achieve. This is not to say that Pony AI's technology does not work -- and it does serve different markets -- just that you are betting on a start-up in a field crowded with huge technology competitors. This feels like a risk not worth taking vs. the stock's current valuation figures, meaning investors should stay away from buying Pony AI stock right now. Before you buy stock in Pony Ai, consider this: The Motley Fool Stock Advisor analyst team just identified what they believe are the for investors to buy now… and Pony Ai wasn't one of them. The 10 stocks that made the cut could produce monster returns in the coming years. Consider when Netflix made this list on December 17, 2004... if you invested $1,000 at the time of our recommendation, you'd have $656,825!* Or when Nvidia made this list on April 15, 2005... if you invested $1,000 at the time of our recommendation, you'd have $865,550!* Now, it's worth noting Stock Advisor's total average return is 994% — a market-crushing outperformance compared to 172% for the S&P 500. Don't miss out on the latest top 10 list, available when you join . See the 10 stocks » *Stock Advisor returns as of June 2, 2025 Suzanne Frey, an executive at Alphabet, is a member of The Motley Fool's board of directors. Brett Schafer has positions in Alphabet. The Motley Fool has positions in and recommends Alphabet, Tencent, and Uber Technologies. The Motley Fool has a disclosure policy. Why Shares of Pony AI Stock Were Up More Than 100% Last Month was originally published by The Motley Fool Error in retrieving data Sign in to access your portfolio Error in retrieving data Error in retrieving data Error in retrieving data Error in retrieving data
Yahoo
an hour ago
- Yahoo
Trump administration cuts 'Safety' from AI Safety Institute
The Trump administration says it's reforming a Biden-era artificial intelligence safety institute, renaming and reformulating one of the only federal government departments dedicated to oversight of the burgeoning technology. Commerce Secretary Howard Lutnick said in a news release Tuesday that the Trump administration would transform the former U.S. AI Safety Institute — which former President Joe Biden established in November 2023 — into the Center for AI Standards and Innovation. The reframing away from 'safety' is in line with the Trump administration's statements and actions signaling its belief that oversight efforts for AI companies could unnecessarily dull the United States' competitive edge in the space. 'For far too long, censorship and regulations have been used under the guise of national security. Innovators will no longer be limited by these standards,' Lutnick said in the release. 'CAISI will evaluate and enhance U.S. innovation of these rapidly developing commercial AI systems while ensuring they remain secure to our national security standards.' The U.S. AI Safety Institute was created to evaluate and test AI models and create standards for safety and security. It also formed a consortium on AI safety, which was made up of over 200 members, including OpenAI, Meta and Anthropic. Although it's unclear whether the transformation will mean any major changes to the institute's operations, the move appears to reflect the Trump administration's 'pro-innovation' approach to deregulating AI technology. Unlike Biden's executive order on AI and the former institute, the reformed center is set to focus on additional aspects like evaluating 'potential security vulnerabilities and malign foreign influence arising from use of adversaries' AI systems, including the possibility of backdoors and other covert, malicious behavior,' as well as 'guard against burdensome and unnecessary regulation of American technologies by foreign governments.' In January, the Chinese-created AI app DeepSeek heightened national security concerns around AI with its latest release, which made waves with its advancements. President Donald Trump said the app 'should be a wake-up call' about the prospect of international competition for American tech companies. Lawmakers introduced a bill to ban DeepSeek from government devices, and the Navy advised its members not to use it 'in any capacity.' The move to reform the institute appears to have been in development for a while. Reuters reported this year that no one from the U.S. AI Safety Institute's staff would attend an AI summit in Paris in February alongside Vice President JD Vance. The institute's inaugural director, Elizabeth Kelly, also announced she would step down that month. In his speech at the summit, Vance echoed Lutnick's sentiments, saying, 'We need international regulatory regimes that fosters the creation of AI technology rather than strangles it.' He also spoke about how he believes AI should be free from 'ideological bias.' Since he returned to office, Trump has made it clear that his administration wants to embrace the expansion of AI. Within his first week, Trump announced the creation of the $500 billion Stargate initiative in collaboration with OpenAI, Oracle and SoftBank, which aims to make the United States a world leader in AI. Trump also signed an executive order on AI in his first week in office that focuses on easing regulations on AI technology and revoking 'existing AI policies and directives that act as barriers to American AI innovation.' Biden's executive order on AI, which focused on safety and privacy standards for the technology, has been scrapped from the White House's website. This article was originally published on
