IPv6 networking feature hit by hackers to hijack software updates
Chinese hackers are running a SLAAC attack

- Chinese threat actor TheWizards observed running a SLAAC attack since 2022
- The attack delivers tainted software updates
- Most victims are in China, Hong Kong, the Philippines, and UAE
A threat actor called TheWizards has been running SLAAC spoofing attacks to target organizations, cybersecurity researchers ESET have revealed, claiming the group is aligned with the Chinese government.
In the campaign, the attackers would use a tool called Spellbinder to send fake Router Advertisement (RA) messages to their targets.
These messages trick devices into thinking the attacker’s system is the legitimate router, causing them to route all their internet traffic through the hacker’s machine. Since this method manipulates the Stateless Address Autoconfiguration (SLAAC) process, the entire attack was dubbed “SLAAC spoofing”.
Keeper is a cybersecurity platform primarily known for its password manager and digital vault, designed to help individuals, families, and businesses securely store and manage passwords, sensitive files, and other private data.
It uses zero-knowledge encryption and offers features like two-factor authentication, dark web monitoring, secure file storage, and breach alerts to protect against cyber threats.
Preferred partner (What does this mean?)
Active at press time
Once TheWizards start controlling the traffic, they use Spellbinder to intercept DNS queries for legitimate software update domains and redirect them.
As a result, the victims end up downloading trojanized versions of software updates, containing the WizardNet backdoor.
This piece of malware, ESET further explained, grants TheWizards remote access to the victim devices. It communicates over encrypted TCP or UDP sockets, and uses a SessionKey based on system identifiers for AES encryptions.
Besides loading and executing .NET modules in-memory, WizardNet can extract system data, list running processes, and maintain persistence.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The campaign has been ongoing since at least 2022, ESET added, mainly targeting people and businesses in China, Hong Kong, Cambodia, the Philippines, and the UAE.
Apparently, the crooks are currently tricking people into downloading a fake Tencent update: “The malicious server that issues the update instructions was still active at the time of writing,” ESET said. Most of the corporate victims seem to be in the gambling vertical.
ESET also said that Spellbinder is monitoring for domains belonging not just to Tencent, but also Baidu, Xunlei, Youku, iQIYI, Kingsoft, Mango TV, Funshion, Yuodao, Xiaomi, Xiaomi Miui, PPLive, Meitu, Quihoo 360, and Baofeng.
The best way to mitigate the risk is to monitor IPv6 traffic, or turn off the protocol if it’s not required in the environment, ESET concluded.
Via BleepingComputer
You might also like
- Chinese hackers hijacked an ISP software update to spread malware
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.