MalwareUsed by 3 actors

WizardNet

WizardNet is a modular Windows backdoor first publicly disclosed by ESET in April 2025 and associated with the China-aligned threat actor TheWizards. It is delivered via the Spellbinder adversary-in-the-middle framework, which abuses IPv6 Stateless Address Autoconfiguration spoofing and ICMPv6 Router Advertisements to position the attacker as the victim’s gateway, intercept DNS queries, and hijack legitimate software update traffic. ESET observed this delivery chain against Chinese software update mechanisms including Tencent QQ and previously Sogou Pinyin. In the observed infection flow, attackers deploy a ZIP archive containing AVGApplicationFrameHost.exe, wsc.dll, log.dat, and winpcap.exe; the legitimate AVG component is abused for DLL sideloading, wsc.dll reads shellcode from log.dat, and the shellcode loads Spellbinder in memory. Spellbinder then redirects targeted update traffic to attacker-controlled infrastructure, causing victims to download a malicious DLL or archive that retrieves an encrypted blob whose loader executes WizardNet in memory.

WizardNet is described as a modular implant that connects to a remote controller to receive and execute .NET modules on the compromised machine. The loader attempts defense evasion by patching AmsiScanBuffer to bypass AMSI and patching EtwEventWrite to disable ETW logging. It initializes the .NET runtime, decrypts the payload, and runs WizardNet in memory. WizardNet creates a mutex named Global\<MD5(computer_name)>, derives a SessionKey from MD5(computer name + install time + disk serial), stores it under HKCU\Software<MD5(computer_name)><MD5(computer_name)>mid, and communicates over TCP or UDP using AES-ECB with PKCS7 padding. It can read shellcode from ppxml.db or registry key HKCU\000000 and attempts to inject shellcode into explorer.exe or %ProgramFiles%\Windows Photo Viewer\ImagingDevices.exe.

ESET telemetry indicates targeting of individuals, gambling companies, and other entities in the Philippines, Cambodia, the United Arab Emirates, mainland China, Hong Kong, and elsewhere. Infrastructure mentioned in the reporting includes 43.155.116[.]7 and 43.155.62[.]54 for malicious update delivery and 43.135.35[.]84 (mkdmcdn[.]com) for WizardNet C2. Additional reporting noted infrastructure overlap between WizardNet and Cisco Talos’ DKnife framework, including host 43.132.205[.]118 hosting WizardNet on port 8881, and similar update-hijacking URL patterns shared with Spellbinder-linked activity. Trend Micro also reported ties between HOLODONUT and WizardNet, and linked WizardNet usage to TheWizards. ClamAV detection names referenced in the content include Win.Loader.WizardNet-10044819-0.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TheWizards

“The downloader then acts as a conduit to drop a modular backdoor codenamed WizardNet.”

via the hacker newsthehackernews.com

TheWizard

...TheWizard via HOLODONUT and WizardNet ties.

via polyswarmblog.polyswarm.io

china_nexus_apt_groups

"...code artifacts, and targeting patterns align with previously documented campaigns involving ShadowPad, DarkNimbus, and the WizardNet backdoor."

via rescana blogrescana.com

MITRE ATT&CK

Techniques & procedures

21 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

3 techniques

T1583.001DomainsEvidence1

“TheWizards has registered the domains hao[.]com, ssl-dns[.]com, and mkdmcdn[.]com.”

T1583.004ServerEvidence1

“TheWizards acquired servers for hosting tools, C&C, and to serve malicious updates.”

T1587.001MalwareEvidence1

“TheWizards uses custom malware such as the WizardNet backdoor and Spellbinder.”

Initial Access

2 techniques

T1195.002Compromise Software Supply ChainEvidence2

"...hijacking the software update mechanism associated with Sogou Pinyin..."; "...hijack the software update process for Tencent QQ... to serve a trojanized version"

T1659Content InjectionEvidence1

“Spellbinder… redirect traffic and serve malicious updates… Spellbinder tool intercepts the DNS query for that domain name and issues a DNS answer with the IP address of an attacker-controlled server used for hijacking…”

Execution

2 techniques

T1106Native APIEvidence1

“WizardNet uses CreateProcessA to execute processes it injects shellcode into.”

T1574.013KernelCallbackTableEvidence1

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

Persistence

1 technique

T1112Modify RegistryEvidence1

“reads shellcode from… the value from the key HKCU\000000… The SessionKey is stored under the registry path HKCU\Software\<MD5(computer_name)>\<MD5(computer_name)>mid.”

Privilege Escalation

2 techniques

T1055Process InjectionEvidence1

“WizardNet… attempts to inject [shellcode] into a new process of explorer.exe or %ProgramFiles%\Windows Photo Viewer\ImagingDevices.exe.”

T1055.004Asynchronous Procedure CallEvidence1

“WizardNet uses the QueueUserApc API to execute injected code.”

Stealth

6 techniques

T1027.007Dynamic API ResolutionEvidence1

“The downloader and shellcode… dynamically resolve API addresses.”

T1027.009Embedded PayloadsEvidence1

“The shellcode obtained by the downloader contains WizardNet in encrypted form.”

T1055Process InjectionEvidence1

“WizardNet… attempts to inject [shellcode] into a new process of explorer.exe or %ProgramFiles%\Windows Photo Viewer\ImagingDevices.exe.”

T1055.004Asynchronous Procedure CallEvidence1

“WizardNet uses the QueueUserApc API to execute injected code.”

T1480.002Mutual ExclusionEvidence1

“During its initialization it creates a mutex named Global\<MD5(computer_name)>…”

T1574.013KernelCallbackTableEvidence1

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

“reads shellcode from… the value from the key HKCU\000000… The SessionKey is stored under the registry path HKCU\Software\<MD5(computer_name)>\<MD5(computer_name)>mid.”

Credential Access

1 technique

T1557Adversary-in-the-MiddleEvidence1

Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

Discovery

3 techniques

T1082System Information DiscoveryEvidence1

“Send information… machine name, OS name and architecture, time since system started… privileges… private IP address.”

T1124System Time DiscoveryEvidence1

“WizardNet gets the system time.”

T1518.001Security Software DiscoveryEvidence1

“When obtaining a list of security solutions, it makes a list of running processes that match… 360tray… avp… mcshield… egui… rtvscan.”

Collection

1 technique

T1557Adversary-in-the-MiddleEvidence1

Command and Control

4 techniques

T1095Non-Application Layer ProtocolEvidence1

“Depending on its configuration, WizardNet can then create a TCP or UDP socket to communicate with its C&C server…”

T1105Ingress Tool TransferEvidence2

"...redirecting the traffic of legitimate Chinese software so that it downloads malicious updates from a server controlled by the attackers"

T1573.001Symmetric CryptographyEvidence1

“messages exchanged… encrypted with AES-ECB; the SessionKey is used as the key…”

T1659Content InjectionEvidence1

Impact

1 technique

T1565.001Stored Data ManipulationEvidence1

"...intercepting the DNS query for the software update domain ... and issuing a DNS response with the IP address of an attacker-controlled server"

INDICATORS OF COMPROMISE

IOCs tracked for this family

5 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app5 months ago

uri●●●●●●●●●●●●View more in app5 months ago

domain●●●●●●●●●●●●View more in app5 months ago

hash.md5●●●●●●●●●●●●View more in app5 months ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

hackreadNews

Feb 9, 2026

China-Linked DKnife Spyware Hijacking Internet Routers Since 2019

Backdoor referenced as linked to the DKnife toolchain/campaign; specific capabilities not described in the provided content.

security affairsNews

Feb 8, 2026

DKnife toolkit abuses routers to spy and deliver malware since 2019

Malware/tooling linked by shared infrastructure and similar update-hijacking tradecraft to DKnife; previously associated (in this content) with campaigns impacting the Philippines, Cambodia, and the UAE.

rescana blogNews

Feb 8, 2026

DKnife Linux Toolkit: Advanced China-Nexus Malware Hijacks Routers for Network Traffic Interception and Credential Theft

Backdoor/framework mentioned as overlapping in infrastructure/TTPs with DKnife activity and used in related regional operations.

ctoatncsc substackNews

Feb 7, 2026

CTO at NCSC Summary: week ending February 8th

Modular backdoor referenced as delivered in AitM-style campaigns; linked in the text to tooling lineage shared with other AitM frameworks.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching5

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution3

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping21

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.