• - Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. • Based on the artifact metadata, DKnife has been used since at least 2019 and the command and control (C2) are still active as of January 2026. • - DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. • It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates. • - DKnife primarily targets Chinese-speaking users, indicated by credential harvesting for Chinese-language services, exfiltration modules for popular Chinese mobile applications and code references to Chinese media domains. • Based on the language used in the code, configuration files and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool.
Article Summaries:
- Cisco Talos has identified “DKnife,” a sophisticated gateway‑monitoring and adversary‑in‑the‑middle (AitM) framework that has been active since at least 2019. DKnife deploys seven Linux‑based implants to inspect, manipulate, and inject malware through routers, PCs, mobile devices, and IoT endpoints. It delivers ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android app updates, and it specifically targets Chinese‑speaking users, harvesting credentials for Chinese services and exfiltrating data from popular Chinese mobile apps. Talos also uncovered a link to the WizardNet backdoor, suggesting shared development with the Spellbinder AitM framework, and confirmed that DKnife’s command‑and‑control servers remain operational as of January 2026.
Sources: