TheWizards

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
TheWizards is a threat actor, potentially China-aligned, known for conducting adversary-in-the-middle attacks. The group exhibits capabilities similar to other known China-aligned threat actors such as Evasive Panda and Mustang Panda (also known as Camaro Dragon), who have been observed deploying malware updates on popular Chinese software and developing sophisticated backdoor techniques respectively. Recent research suggests that TheWizards may be deploying network implants in the networks of their victims, possibly exploiting vulnerabilities in network appliances such as routers or gateways. This speculation comes from our experience with these groups and recent research on router implants attributed to BlackTech and Camaro Dragon. These groups have shown a pattern of creating custom router implants, indicating a possible method employed by TheWizards. Given the similarities in behavior and tactics, it's reasonable to speculate that TheWizards could be using similar strategies to infiltrate and compromise their targets' networks. Finally, our research has revealed the operations of three previously unidentified China-aligned groups: DigitalRecyclers, TheWizards, and PerplexedGoblin. DigitalRecyclers have been repeatedly compromising a governmental organization in the EU, while TheWizards have been conducting adversary-in-the-middle attacks. PerplexedGoblin is also active, targeting another government organization in the EU. This discovery underscores the persistent and evolving threat posed by these threat actors, highlighting the need for ongoing vigilance and robust cybersecurity measures.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Mustang Panda
1
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Implant
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Evasive PandaUnspecified
1
Evasive Panda, also known as BRONZE HIGHLAND and Daggerfly, is a threat actor group believed to be aligned with China. This group has been involved in a series of cyberespionage campaigns targeting Tibetans globally, starting from September 2023 or earlier. The group's operations have impacted syste
BlackTechUnspecified
1
BlackTech is a threat actor, or a group responsible for carrying out malicious cyber activities. Known for its links to China, BlackTech focuses on gathering intelligence from technology and government organizations, predominantly in the Asia-Pacific region. This group has shown a high degree of sop
Camaro DragonUnspecified
1
Camaro Dragon, a Chinese state-sponsored threat actor, has been identified as the source of several cyber attacks on European foreign affairs entities. Checkpoint Research has discovered and analyzed a custom firmware image affiliated with Camaro Dragon, which contained multiple malicious components
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the TheWizards Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005
CERT-EU
9 months ago
ESET APT Activity Report Q2–Q3 2023
ESET
6 months ago
NSPX30: A sophisticated AitM-enabled implant evolving since 2005