TheWizards

TheWizards is a threat actor, potentially China-aligned, known for conducting adversary-in-the-middle attacks. The group exhibits capabilities similar to other known China-aligned threat actors such as Evasive Panda and Mustang Panda (also known as Camaro Dragon), who have been observed deploying malware updates on popular Chinese software and developing sophisticated backdoor techniques respectively. Recent research suggests that TheWizards may be deploying network implants in the networks of their victims, possibly exploiting vulnerabilities in network appliances such as routers or gateways. This speculation comes from our experience with these groups and recent research on router implants attributed to BlackTech and Camaro Dragon. These groups have shown a pattern of creating custom router implants, indicating a possible method employed by TheWizards. Given the similarities in behavior and tactics, it's reasonable to speculate that TheWizards could be using similar strategies to infiltrate and compromise their targets' networks. Finally, our research has revealed the operations of three previously unidentified China-aligned groups: DigitalRecyclers, TheWizards, and PerplexedGoblin. DigitalRecyclers have been repeatedly compromising a governmental organization in the EU, while TheWizards have been conducting adversary-in-the-middle attacks. PerplexedGoblin is also active, targeting another government organization in the EU. This discovery underscores the persistent and evolving threat posed by these threat actors, highlighting the need for ongoing vigilance and robust cybersecurity measures.