A China-linked hacking group is exploiting a little-known IPv6 feature to hijack software updates and silently install Windows malware across targeted networks.
A China-linked advanced persistent threat (APT) group known as TheWizards is exploiting an IPv6 networking feature to hijack software updates and install Windows malware. Cybersecurity firm ESET reports that the group has been active since at least 2022, targeting victims in the Philippines, Cambodia, the UAE, China, and Hong Kong. Their custom attack tool, Spellbinder, enables adversary-in-the-middle (AitM) attacks, where attackers secretly intercept and manipulate traffic between users and trusted services.
To carry out the attacks, TheWizards exploit Stateless Address Autoconfiguration (SLAAC), an IPv6 feature that allows devices to assign themselves IP addresses based on signals from nearby routers. The group floods local networks with fake router advertisement messages every 200 milliseconds, tricking Windows machines into updating their network settings. Internet traffic is then rerouted through attacker-controlled gateways, giving the hackers full access to monitor and manipulate the victims' online activity.
The malware is delivered in a ZIP archive disguised as legitimate AVG antivirus software. The bundle includes WinPcap, a real network monitoring tool, which is used to side-load a malicious file called wsc.dll. This file silently launches Spellbinder, the group’s surveillance tool. Once active, Spellbinder scans for software update requests to popular Chinese apps like Tencent and Xiaomi. Detected requests are hijacked and redirected to rogue servers that deliver WizardNet, a persistent backdoor that keeps the system open for future malware installations.
ESET researchers explained, “In 2022, we uncovered a China-aligned APT group we’ve named TheWizards. Our analysis revealed custom tools developed by the group, including an IPv6 adversary-in-the-middle (AitM) tool called Spellbinder. It enables attackers to hijack update protocols used by legitimate Chinese software, redirecting them to malicious servers that deliver fake updates to victims’ machines. These updates trigger additional components, ultimately launching a backdoor we’ve named WizardNet.”
ESET added that this method allows attackers to silently intercept and redirect network traffic, often without triggering immediate detection.
TheWizards’ campaign shows that even modern protocols like IPv6, meant to future-proof the internet, can become weapons in the hands of skilled attackers. It’s not just about exotic exploits or zero-days anymore; it’s about how trust itself, especially in routine processes like software updates, is being quietly manipulated. As attackers get more creative, defenders need to start questioning what’s been long assumed to be safe.
SLAAC (Stateless Address Autoconfiguration) lets IPv6 devices assign themselves IP addresses, but it trusts local router messages, making it easy to spoof.
Update mechanisms are trusted by users and systems, offering a stealthy way to install malware without raising suspicion.
They can disable IPv6 if not needed, restrict router advertisement messages, and monitor unusual network configuration changes.
While this campaign targets Chinese apps, the attack method could be adapted to other update systems globally.
Yes, abusing trusted update channels has become a growing trend in sophisticated cyber operations, including cases like SolarWinds and 3CX.