logo
ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East

ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East

Yahoo30-04-2025
Geographical distribution of the victims
ESET discovered and analyzed both Spellbinder and WizardNet, tools used by the China-aligned TheWizards APT group.
Spellbinder is used by the TheWizards to conduct local adversary-in-the-middle attacks and to redirect traffic from updating applications to an attacker-controlled server.
That server delivers WizardNet, TheWizards' signature backdoor, which is being deployed by legitimate Chinese software update mechanisms to victims' machines.
ESET also details the links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC.
SAN DIEGO, April 30, 2025 (GLOBE NEWSWIRE) -- ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet.
TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong.
'We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,' says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. 'Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,' explains Muñoz.
The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system.
TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices.
For a more detailed analysis and technical breakdown of TheWizards' tools, check out the latest ESET Research blogpost 'TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks' on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.
About ESET
ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/e64e1152-5dee-4ed7-ad08-e0d87d089a16
CONTACT: Media contact: Jessica Beffa jessica.beffa@eset.com 720-413-4938
Orange background

Try Our AI Features

Explore what Daily8 AI can do for you:

Comments

No comments yet...

Related Articles

Exclusive-Nvidia working on new AI chip for China that outperforms the H20, sources say
Exclusive-Nvidia working on new AI chip for China that outperforms the H20, sources say

Yahoo

time9 minutes ago

  • Yahoo

Exclusive-Nvidia working on new AI chip for China that outperforms the H20, sources say

By Liam Mo and Fanny Potkin BEIJING/SINGAPORE (Reuters) -Nvidia is developing a new AI chip for China based on its latest Blackwell architecture that will be more powerful than the H20 model it is currently allowed to sell there, two people briefed on the matter said. U.S. President Donald Trump last week opened the door to the possibility of more advanced Nvidia chips being sold in China. But the sources noted U.S. regulatory approval is far from guaranteed amid deep-seated fears in Washington about giving China too much access to U.S. artificial intelligence technology. The new chip, tentatively known as the B30A, will use a single-die design that is likely to deliver half the raw computing power of the more sophisticated dual-die configuration in Nvidia's flagship B300 accelerator card, the sources said. A single-die design is when all the main parts of an integrated circuit are made on one continuous piece of silicon rather than split across multiple dies. The new chip would have high-bandwidth memory and Nvidia's NVLink technology for fast data transmission between processors, features that are also in the H20 - a chip based on the company's older Hopper architecture. The chip's specifications are not completely finalised but Nvidia hopes to deliver samples to Chinese clients for testing as early as next month, said the sources who were not authorised to speak to media and declined to be identified. Nvidia said in a statement: "We evaluate a variety of products for our roadmap, so that we can be prepared to compete to the extent that governments allow." "Everything we offer is with the full approval of the applicable authorities and designed solely for beneficial commercial use," it said. The U.S. Department of Commerce did not respond to a Reuters request for comment. FLASHPOINT The extent to which China, which generated 13% of Nvidia's revenue in the past financial year, can have access to cutting-edge AI chips is one of the biggest flashpoints in U.S.-Sino trade tensions. Nvidia only received permission in July to recommence sales of the H20. It was developed specifically for China after export restrictions were put in place in 2023, but company was abruptly ordered to stop sales in April. Trump said last week he might allow Nvidia to sell a scaled-down version of its next-generation chip in China after announcing an unprecedented deal that will see Nvidia and rival AMD give the U.S. government 15% of revenue from sales of some advanced chips in China. A new Nvidia chip for China might have "30% to 50% off", he suggested in an apparent reference to the chip's computing power, adding that the H20 was "obsolete". U.S. legislators, both Democratic and Republican, have worried that access to even scaled-down versions of flagship AI chips will impede U.S. efforts to maintain its lead in artificial intelligence. But Nvidia and others argue that it is important to retain Chinese interest in its chips - which work with Nvidia's software tools - so that developers do not completely switch over to offerings from rivals like Huawei. Huawei has made great strides in chip development, with its latest models said to be on par with Nvidia in some aspects like computing power, though analysts say it lags in key areas such as software ecosystem support and memory bandwidth capabilities. Complicating Nvidia's efforts to retain market share in China, Chinese state media have also in recent weeks alleged that the U.S firm's chips could pose security risks, and authorities have cautioned Chinese tech firms about purchasing the H20. Nvidia says its chips carry no backdoor risks. Nvidia is also preparing to start delivering a separate new China-specific chip based on its Blackwell architecture and designed primarily for AI inference tasks, according to two other people familiar with those plans. Reuters reported in May that this chip, currently dubbed the RTX6000D, will sell for less than the H20, reflecting weaker specifications and simpler manufacturing requirements. The chip is designed to fall under thresholds set by the U.S. government. It uses conventional GDDR memory and features memory bandwidth of 1,398 gigabytes per second, just below the 1.4 terabyte threshold established by restrictions introduced in April that led to the initial H20 ban. Nvidia is set to deliver small batches of RTX6000D to Chinese clients in September, said one of the people.

Intel receives $2B investment from Japan's SoftBank
Intel receives $2B investment from Japan's SoftBank

UPI

time2 hours ago

  • UPI

Intel receives $2B investment from Japan's SoftBank

The Intel logo is displayed in front of the Robert Noyce Building on the Intel campus in Santa Clara, California. On Monday, Intel announced it would be receiving a $2 billion lifeline from Japan's SoftBank, after the companies signed a definitive securities purchase agreement. File Photo by Terry Schmitt/UPI | License Photo Aug. 19 (UPI) -- U.S. chip maker Intel is getting a $2 billion lifeline from Japan's SoftBank, the companies announced Monday. SoftBank Group and Intel Corporation have signed a definitive securities purchase agreement, with SoftBank investing $2 billion in Intel common stock and the future of semiconductor innovation in the United States. "Semiconductors are the foundation of every industry. For more than 50 years, Intel has been a trusted leader in innovation," said Masayoshi Son, chairman and chief executive officer of SoftBank. "This strategic investment reflects our belief that advanced semiconductor manufacturing and supply will further expand in the United States, with Intel playing a critical role." SoftBank will pay $23 for each share of Intel common stock, under the terms of the agreement. The investment allows Intel to continue building on its vision of advance technologies for cloud computing, digital transformation and next-generation infrastructure. "We are very pleased to deepen our relationship with SoftBank, a company that's at the forefront of so many areas of emerging technology and innovation, and shares our commitment to advancing U.S. technology and manufacturing leadership," said Lip-Bu Tan, CEO of Intel. "Masa and I have worked closely together for decades, and I appreciate the confidence he has placed in Intel with this investment." SoftBank's private investment comes as the U.S. government considers its own rescue plan for the struggling chip maker. In an effort to revive Intel's semiconductor manufacturing in the United States, the Trump administration is considering taking a 10% stake in the company, according to The Wall Street Journal and Bloomberg. The investment also comes after President Donald Trump called for Tan to resign as head of the company, calling him "highly conflicted." Sen. Tom Cotton, R-Ark., also expressed concerns about "the security and integrity of Intel's operations and its potential impact on U.S. national security." "Mr. Tan reportedly controls dozens of Chinese companies and has a stake in hundreds of Chinese advance-manufacturing and chip firms," Cotton added. Tan served as the CEO of Cadence Design Systems, a tech software company, between 2009 and 2021. In July, the company was charged by the Justice Department with conspiracy to commit export control violations. Tan said earlier this month, he has "always operated within the highest legal and ethical standards" and that his "reputation has been built on trust, on doing what I say I'll do, and doing it the right way." Trump met with Tan last week, with the president calling the meeting "very interesting." Since Tan took over in March, Intel has laid off about 15% of its staff. After shares closed lower Monday, Intel's stock jumped in after-hours trading following news of SoftBank's investment.

DOWNLOAD THE APP

Get Started Now: Download the App

Ready to dive into a world of global content with local flavor? Download Daily8 app today from your preferred app store and start exploring.
app-storeplay-store