{"id":15762,"date":"2026-02-09T11:57:44","date_gmt":"2026-02-09T11:57:44","guid":{"rendered":"https:\/\/newestek.com\/?p=15762"},"modified":"2026-02-09T11:57:44","modified_gmt":"2026-02-09T11:57:44","slug":"dknife-targets-network-gateways-in-long-running-aitm-campaign","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15762","title":{"rendered":"DKnife targets network gateways in long running AitM campaign"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A previously undocumented China-linked adversary-in-the-middle (AitM) framework known as \u201cDKnife\u201d has been identified operating at network gateways, where it intercepts and manipulates in-transit traffic.<\/p>\n

According to Cisco Talos\u2019 findings, the framework has been active since at least 2019 and remains operational as of early 2026. Rather than targeting endpoints directly, DKnife is deployed at the network edge, giving operators visibility into and control over the traffic passing through compromised devices.<\/p>\n

Talos researchers described it as a modular Linux-based system capable of deep packet inspection, credential interception, and malicious content injection.<\/p>\n

\u201cDKnife\u2019s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things devices,\u201d they said in a blog post. \u201cIt delivers and interacts with ShadowPad<\/a> and DarkNimbus<\/a> backdoors by hijacking binary downloads and Android application updates.\u201d<\/p>\n

<\/a>Traffic hijacking and malware delivery<\/h2>\n

The researchers found DKnife having seven Linux ELF components that work together to monitor and manipulate network traffic in real time. Once deployed on a gateway or similar edge device, the framework can inspect unencrypted and decrypted traffic flows to selectively modify responses before they reach their intended destination.<\/p>\n

\u201cThe seven implants in DKnife serve the purpose of DPI engine, data reporting, reverse proxy for AitM attack, malicious APK download, framework update, traffic forwarding, and building a P2P communication channel with the remote C2,\u201d the researchers said<\/a>.<\/p>\n

The framework was observed being used to redirect legitimate software update requests to attacker-controlled servers, enabling the delivery of secondary payloads posing as trusted updates. This allowed attackers to compromise downstream systems without needing direct access to the endpoints themselves, the researchers noted.<\/p>\n

Beyond update hijacking, the framework supports DNS<\/a> manipulation, binary replacement, and selective traffic forwarding, giving attackers control over how specific requests are handled.<\/p>\n

<\/a>Indicators point to China-Nexus development and targeting<\/h2>\n

Several aspects of DKnife\u2019s design and operation suggested ties to China-aligned threat actors. Talos identified configuration data and code comments written in Simplified Chinese, as well as handling logic tailored for Chinese-language email providers and mobile applications.<\/p>\n

The framework was also found to enable credential collection from services used within China, indicating specific targeting. Talos confirmed linking DKnife\u2019s operations to the delivery of malware families previously associated with China-nexus activity, further reinforcing attribution.<\/p>\n

\u201cBased on the language used in the code, configuration files, and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,\u201d the researchers said without naming any specific threat group.<\/p>\n

<\/a>Shared lineage and detection sabotage<\/h2>\n

Talos investigation also revealed technical overlaps between DKnife and earlier AitM frameworks used in past campaigns.<\/p>\n

\u201cWe discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework, Spellbinder, suggesting a shared development or operational lineage,\u201d the researchers said.<\/p>\n

Talos said DKnife includes a traffic inspection module that actively interferes with antivirus and PC-management communications. The module identifies 360 Total Security traffic by inspecting specific HTTP headers, such as DPUname and x-360-ver, and by matching known service domains. When a match is detected, the framework disrupts the connection using crafted TCP reset packets. <\/p>\n

Similar behavior targeting Tencent services and other PC management endpoints was also observed, indicating deliberate efforts to weaken security tooling. To strengthen detection, Talos shared a list of indicators of compromise (IoCs<\/a>), including file hashes, network artifacts, and command and control (c2) infrastructure associated with DKnife. Additionally, the disclosure shared a set of ClamAV<\/a> signatures for detecting and blocking the threat.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A previously undocumented China-linked adversary-in-the-middle (AitM) framework known as \u201cDKnife\u201d has been identified operating at network gateways, where it intercepts and manipulates in-transit traffic. According to Cisco Talos\u2019 findings, the framework has been active since at least 2019 and remains operational as of early 2026. Rather than targeting endpoints directly, DKnife is deployed at the network edge, giving operators visibility into and control over the… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15762","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15762"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15762\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}