Latest news with #FacundoMuñoz
Yahoo
30-04-2025
- Yahoo
ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East
Geographical distribution of the victims ESET discovered and analyzed both Spellbinder and WizardNet, tools used by the China-aligned TheWizards APT group. Spellbinder is used by the TheWizards to conduct local adversary-in-the-middle attacks and to redirect traffic from updating applications to an attacker-controlled server. That server delivers WizardNet, TheWizards' signature backdoor, which is being deployed by legitimate Chinese software update mechanisms to victims' machines. ESET also details the links between TheWizards and the Chinese company Dianke Network Security Technology, also known as UPSEC. SAN DIEGO, April 30, 2025 (GLOBE NEWSWIRE) -- ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet. TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. 'We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,' says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. 'Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,' explains Muñoz. The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system. TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices. For a more detailed analysis and technical breakdown of TheWizards' tools, check out the latest ESET Research blogpost 'TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at CONTACT: Media contact: Jessica Beffa 720-413-4938
Associated Press
30-04-2025
- Associated Press
ESET Research analyzes tools from the China-aligned TheWizards group, with targets across Asia and the Middle East
SAN DIEGO, April 30, 2025 (GLOBE NEWSWIRE) -- ESET researchers have analyzed Spellbinder, a lateral movement tool used to perform adversary-in-the-middle attacks by the China-aligned threat actor TheWizards. Spellbinder enables adversary-in-the-middle attacks through IPv6 stateless address autoconfiguration spoofing, which allows the attackers to redirect the update protocols of legitimate Chinese software to malicious servers. Then the legitimate software is tricked into downloading and executing the malicious components that launch the backdoor WizardNet. TheWizards has been constantly active since at least 2022 until the present and, according to ESET telemetry, targets individuals, gambling companies, and unknown entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, and Hong Kong. 'We initially discovered and analyzed this tool in 2022, and observed a new version with a few changes that was deployed to compromised machines in 2023 and 2024,' says ESET researcher Facundo Muñoz, who analyzed Spellbinder and WizardNet. 'Our research led us to discover a tool used by the attackers that is designed to perform adversary-in-the-middle attacks using IPv6 SLAAC spoofing to intercept and reply to packets in a network, allowing the attackers to redirect traffic and serve malicious updates to legitimate Chinese software,' explains Muñoz. The final payload in the attack is a backdoor that we named WizardNet – a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. ESET researchers have focused on one of the latest cases, in 2024, in which the update of Tencent QQ software was hijacked. The malicious server that issues the update instructions is still active. This variant of WizardNet supports five commands, three of which allow it to execute .NET modules in memory, thus extending its functionality on the compromised system. TheWizards and the Chinese company Dianke Network Security Technology (also known as UPSEC) – supplier of the DarkNights backdoor (also known as DarkNimbus), appear to be linked. According to NCSC UK, this malicious backdoor also has Tibetan and Uyghur communities among its primary targets. While TheWizards uses a different backdoor – the WizardNet, the hijacking server is configured to serve DarkNights to updating applications running on Android devices. For a more detailed analysis and technical breakdown of TheWizards' tools, check out the latest ESET Research blogpost ' TheWizards APT group uses SLAAC spoofing to perform adversary-in-the-middle attacks ' on Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research. About ESET ESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown — securing businesses, critical infrastructure and individuals. Whether it's endpoint, cloud or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit or follow our social media, podcasts and blogs. A photo accompanying this announcement is available at Media contact: Jessica Beffa [email protected] 720-413-4938
Tahawul Tech
05-02-2025
- Tahawul Tech
ESET discovers new China-aligned APT group and its supply chain attack on South Korean VPN service
ESET researchers have discovered a supply-chain attack against a VPN provider in South Korea by a newly discovered and previously undetected China-aligned APT group that ESET has named PlushDaemon. In this cyberespionage operation, the attackers replaced the legitimate installer with one that also deployed the group's signature implant, which ESET has named SlowStepper — a feature-rich backdoor with a toolkit of more than 30 components. The China-aligned threat actor has been active since at least 2019, engaging in espionage operations against individuals and entities in mainland China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. 'In May 2024, we noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of the legitimate VPN software IPany. In further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor. We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website', says ESET researcher Facundo Muñoz, who made the discovery. Additionally, PlushDaemon gains initial access via the technique of hijacking legitimate updates of Chinese applications by redirecting traffic to attacker-controlled servers. ESET has also observed the group gaining access via vulnerabilities in legitimate web servers. The SlowStepper backdoor is used exclusively by PlushDaemon. This backdoor is notable for its multistage C&C protocol using DNS, as well as its ability to download and execute dozens of additional Python modules with espionage capabilities. The malware collects a wide range of data from web browsers; is capable of taking photos; scans for documents; collects information from various applications, including messaging applications (e.g., WeChat, Telegram); can spy via audio and video; and steals password credentials. 'The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch out for', concludes Muñoz. For a more detailed analysis and technical breakdown of PlushDaemon's toolset, check out the latest ESET Research blogpost 'China-aligned PlushDaemon compromises supply chain of Korean VPN service' on Make sure to follow ESET Research on Twitter (today known as X) for the latest news from ESET Research. Image Credit: ESET
