Article Details

DKnife Linux toolkit hijacks router traffic to spy, deliver malware. A newly discovered toolkit called DKnife has been used since 2019 to hijack traffic at the edge-device level and deliver malware in espionage campaigns. The framework serves as a post-compromise framework for traffic monitoring and adversary-in-the-middle (AitM) activities. It is designed to intercept and manipulate traffic destined for endpoints (computers, mobile devices, IoTs) on the network. Researchers at Cisco Talos say that DKnife is an ELF framework with seven Linux-based components designed for deep packet inspection (DPI), traffic manipulation, credential harvesting, and malware delivery. The malware features Simplified Chinese language artifacts in component names and code comments, and explicitly targets Chinese services such as email providers, mobile apps, media domains, and WeChat users. Talos researchers assess with high confidence that the operator of DKnife is a China-nexus threat actor. Researchers couldn't determine how the network equipment is compromised, but found that DKnife delivers and interacts with the ShadowPad and DarkNimbus backdoors, both associated with Chinese threat actors. DKnife consists of seven modules, each responsible for specific activities related to communication with the C2 servers, relaying or altering traffic, and hiding the malicious traffic origin: "Its [DKnife's] key capabilities include serving update C2 for the backdoors, DNS hijacking, hijacking Android application updates and binary downloads, delivering ShadowPad and DarkNimbus backdoors, selectively disrupting security-product traffic and exfiltrating user activity to remote C2 servers," the researchers said in a report this week. Once installed, DKnife uses its yitiji.bin component to create a bridged TAP interface (virtual network device) on the router at the private IP address 10.3.3.3. This allows the threat actor to intercept and rewrite network packets in their transit to the intended host. This way, DKnife can be used to deliver malicious APK files to mobile devices or Windows systems on the network. Cisco researchers observed DKnife dropping the ShadowPad backdoor for Windows signed with a Chinese firm’s certificate. This action was followed by the deployment of the DarkNimbus backdoor. On Android devices, the backdoor is delivered directly by DKnife. On the same infrastructure associated with the DKnife framework activity, the researchers also found that it was hosting the WizardNet backdoor, which ESET researchers previously linked to the Spellbinder AitM framework. Apart from payload delivery, DKnife is also capable of: WeChat activities are tracked more analytically, Cisco Talos says, with DKnife monitoring for voice and video calls, text messages, images sent and received, and articles read on the platform. The user’s activity events are first routed internally between DKnife’s components and then exfiltrated via HTTP POST requests to specific command-and-control (C2) API endpoints. Because DKnife sits on gateway devices and reports events as packets pass through, it allows monitoring user activity and collecting data in real time. As of January 2026, the DKnife C2 servers are still active, the researchers say. Cisco Talos has published the full set of indicators of compromise (IoCs) associated with this activity. The future of IT infrastructure is here Modern IT infrastructure moves faster than manual workflows can handle. In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.