Skip to main content
Mallory
Back to threat actors
4 malware familiesExploits CVEs in the wild

TheWizard

Also known asTheWizard

TheWizard is an APT group referenced in connection with the WizardNet backdoor. Trend Micro-assessed activity links TheWizard to HOLODONUT through infrastructure overlap: some HOLODONUT samples connected to the C2 server mkdmcdn.com, which was also reported as used by TheWizard, and HOLODONUT is described as likely linked to WizardNet, a backdoor used by an APT similarly named TheWizard. Attribution in the reporting connects SHADOW-VOID-044 to TheWizard via HOLODONUT and WizardNet ties. TheWizard is also noted as having used the DarkNimbus backdoor, which the reporting says was developed by Earth Minotaur. The broader activity discussed in the source material is assessed as potentially linked to China-aligned APT actors, but the content does not directly and conclusively state that TheWizard itself is a China-aligned or nation-state actor.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • gambling
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

3 of 15 tactics3 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1189
Drive-by Compromise
TA0005
Stealth
1 technique
T1620
Reflective Code Loading
TA0011
Command and Control
1 technique
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
HOLODONUTAssociated backdoors include HOLODONUT and MKDOOR.3Mar 18, 2026
DarkNimbus...TheWizard APT group, which also deployed DarkNimbus backdoor developed by Earth Minotaur.2Mar 8, 2026
WizardNet...TheWizard via HOLODONUT and WizardNet ties.2Mar 18, 2026
PeckBirdyResearchers have identified PeckBirdy, a versatile JScript-based C2 framework, deployed since 2023 in campaigns linked to China-aligned APT actors.1Mar 18, 2026
WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2020-16040Insufficient data validation in Google Chrome V8In the wildEvidence1

Delivered scripts observed include CVE-2020-16040 exploitation for Chrome, social engineering pop-ups, Electron JS backdoor delivery, and TCP reverse shell establishment.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
gbhackersNews
Feb 2, 2026
PeckBirdy Hackers Abuse LOLBins Across Environments to Deploy Advanced Malware

Referenced due to shared C2 infrastructure (mkdmcdn.com) with HOLODONUT samples; described as also deploying the DarkNimbus backdoor.

Read more
dark readingNews
Jan 28, 2026
China-Backed 'PeckBirdy' Takes Flight for Cross-Platform Attacks

APT referenced as a likely linkage point for the newly observed HoloDonut backdoor via similarity/association with WizardNet.

Read more
trend micro researchNews
Jan 26, 2026
PeckBirdy: A Versatile Script Framework for LOLBins Exploitation Used by China-aligned Threat Groups | Trend Micro (US)

China-aligned APT referenced due to infrastructure overlap: HOLODONUT samples in SHADOW-VOID-044 used a C2 also used by TheWizard. TheWizard is also noted as having used DarkNimbus (developed by Earth Minotaur).

Read more
polyswarmNews
Feb 6, 2026
China Nexus Threat Actors Use PeckBirdy C2 Framework

Assessed linked (via HOLODONUT and WizardNet ties) to PeckBirdy-enabled activity delivering .NET backdoors and related tooling in China-aligned operations.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.