Cybersecurity researchers have unveiled the gateway-monitoring and adversary-in-the-middle (AITM) framework. D knife It has been operated by China-nexus threat actors since at least 2019.
The framework consists of seven Linux-based implants designed to perform deep packet inspection, manipulate traffic, and distribute malware through routers and edge devices. Its primary targets appear to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications such as WeChat, and code references to Chinese media domains.
“DKnife attacks target a wide variety of devices, including PCs, mobile devices, and Internet of Things (IoT) devices,” Cisco Talos researcher Ashley Shen said in Thursday’s report. “It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.”
The cybersecurity company said it discovered DKnife as part of its ongoing monitoring of another Chinese threat activity cluster, codenamed Earth Minotaur, which is linked to tools like the Moonshine exploit kit and the DarkNimbus (aka DarkKnights) backdoor. Interestingly, the backdoor has also been used by a third China-aligned advanced persistent threat (APT) group called The Wizards.
Analysis of DKnife’s infrastructure revealed an IP address hosting WizardNet, a Windows implant deployed by The Wizards via an AITM framework called Spellbinder. Details of the toolkit were documented by ESET in April 2025.
The targeting of Chinese-speaking users relies on tracing configuration files obtained from a single command-and-control (C2) server, Cisco said, raising the possibility that there may be other servers hosting the same configuration for different regional targeting.
This is significant in light of the infrastructure connections between DKnife and WizardNet, as TheWizards are known to target individuals and the gambling sector in Cambodia, Hong Kong, Mainland China, the Philippines and the United Arab Emirates.
|
| Functions of the seven Dknife components |
Unlike WizardNet, DKnife is engineered to run on Linux-based devices. Its modular architecture enables operators to perform a wide range of tasks from packet analysis to traffic manipulation. Delivered via ELF Downloader, it consists of seven different components –
- dknife.bin – the central nervous system of the framework responsible for deep packet inspection, user activity reporting, binary download hijacking and DNS hijacking.
- postapi.bin – a data reporter module that acts as a relay by receiving traffic from DKnife and reporting it to the remote C2
- sslmm.bin – a reverse proxy module modified from HAProxy that performs TLS termination, email decryption, and URL rerouting
- mmdown.bin – an updater module that connects to a hard-coded C2 server to download the APK used for the attack
- yitiji.bin – a packet forwarder module that creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic
- remote.bin – a peer-to-peer (P2P) VPN client module that creates a communication channel to the remote C2
- dkupdate.bin – an updater and watchdog module that keeps various components alive
“DKnife could obtain credentials from a major Chinese email provider and host phishing pages for other services,” Talos said. “To collect email credentials, the sslmm.bin component presents its own TLS certificate to clients, terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords.”
“The extracted credentials are tagged with ‘password’, forwarded to the PostAPI.bin component, and ultimately relayed to the remote C2 server.”
The main component of the framework is “dknife.bin”, which takes care of deep packet inspection, allowing operators to run “traffic monitoring campaigns ranging from covert monitoring of user activity to proactive in-line attacks that replace legitimate downloads with malicious payloads.” This also includes –
- Android and Windows variants of Darknimbus malware serving up updated C2
- Conducting Domain Name System (DNS)-based hijacking over IPv4 and IPv6 to facilitate malicious redirects to JD.com-related domains
- Hijacking and altering Android application updates belonging to Chinese news media, video streaming, image editing apps, e-commerce platforms, taxi-service platforms, gaming, and pornography video streaming apps by intercepting their update manifest requests
- Hijacking Windows and other binary downloads based on certain pre-configured rules to load a ShadowPad backdoor via a DLL, which then loads DarkNimbus
- Interference with communications from antivirus and PC-management products, including 360 Total Security and Tencent services
- Monitoring user activity in real time and reporting it back to the C2 server
“Routers and edge devices remain prime targets in sophisticated targeted attack campaigns,” Talos said. “As threat actors intensify their efforts to compromise this infrastructure, it is important to understand the tools and TTPs they use. The discovery of the DKnife framework highlights the advanced capabilities of modern AITM threats, which blend deep-packet inspection, traffic manipulation, and customized malware delivery across a wide range of device types.”
