DomainMediumSignal 58/100
mkdmcdn.com
Location
PhilippinesFirst Seen
May 4, 2025
Last Seen
Jun 22, 2026
Found in 10 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
Domain Name
Malicious domain used for C2, phishing, or malware distribution.
MISP Category
Network Activity
Confidence
58%
Signal Score
58 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Feed Intelligence Summary
10 reports58% confidence
10
Source reports
58%
Confidence score
Category tags
.netadversary-in-the-middleadversary-in-the-middle attackaitmaptapt group: thewizardsarp spoofingasiaasian government entitiesbackdoorbiopass ratbotnetc serverc&c frameworkc2 frameworkcambodiachinachina-alignedchina-aligned aptcivil servicesclassic aspcobalt strikecommand and controlcommand executioncommunication protocolcredential harvestingcredential theftcyber espionagedarknightsdarknimbusdata exfiltrationdata interceptiondigital mediadistributed attacksdll sideloadingdonutdownloaderearth minotaurentertainment technologyfilegambling industrygovernment technologygrayrabbit cgrayrabbit c&cholodonut cholodonut c&choneymytehong konghttp scannerhttpsindicatorinfrastructure acquisitionreconnaissanceipv6ipv6 exploitationjscriptkoreanlateral movementlolbinsmalicious activitymalicious powershell activitymalicious softwaremalwaremalware: spellbindermalware: wizardnetman-in-the-middleman-in-the-middle attackmedia & entertainmentmedia distributionmfa bypassmitmmkdoormkdoor cmkdoor c&cmshtamultimedia productionmultiple apt actorsnetworknetwork manipulationnetwork sniffingnetwork spoofingpeckbirdy cpeckbirdy frameworkphilippinesphishingphishing attackprocess injectionpublic administrationpublic infrastructurepublic policypureratregulatory agenciesremote accessresearchedrouter advertisement spoofingsandwormscript injectionscript-based malwarescripting attackssession hijackingshadowvoid044slaacslaac spoofingsocial engineeringsoftware updatesoftware update hijackingspellbinder toolstreaming servicest1005t1016t1021t1021.001t1027t1027.005t1036t1041t1053.005t1055t1059t1059.001t1059.003t1059.007t1064t1068t1071t1071.001t1071.004t1078t1080t1082t1086t1087t1095t1105t1106t1110t1112t1133t1189t1190t1195t1195.001t1195.002t1202t1204t1204.002t1216.001t1218.005t1486t1496t1499.002t1499.003t1547.001t1550t1550.002t1550.003t1553.002t1555t1557t1557.001t1558t1558.003t1558.004t1565t1566t1566.001t1566.002t1566.003t1569.002t1571t1573.001t1587.001t1588.002t1588.006t1590.001t1595thewizardsthewizards aptthreat actorthreat actor: thewizardstraffic redirectionttpstype indicatorunited arab emiratesupsecuuid shellcodevision oneweb trafficwscript
Activity Timeline
Jun 22Jun 22
Threat Activity Heatmap
LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
58
SIGNAL
Signal Score
58%
Confidence
10
Reports
First seenMay 4, 2025
Last seenJun 22, 2026
VirusTotal
Not checked
WHOIS
- description
- TheWizards, a China-aligned APT group, employs Spellbinder, a lateral movement tool for adversary-in-the-middle attacks through IPv6 SLAAC spoofing. This technique allows them to intercept network traffic and redirect legitimate Chinese software updates to malicious servers. The group targets individuals, gambling companies, and entities in Southeast Asia, UAE, China, and Hong Kong. Their malware chain includes the WizardNet backdoor and utilizes DNS hijacking to deliver malicious updates. Evidence links TheWizards to Sichuan Dianke Network Security Technology Co., Ltd. (UPSEC), suggesting it may be a digital quartermaster for this APT group. The attackers use sophisticated tools and techniques to evade detection and maintain persistence on compromised systems.
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 4 days ago
Appeared in 10 threat reports