Cybersecurity

Cyber: China-linked Dknife Aitm Framework Targets Routers For Traffic...

2026-02-06 0 views admin
Cyber: China-linked Dknife Aitm Framework Targets Routers For Traffic...

Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by China-nexus threat actors since at least 2019.

The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Its primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains.

"DKnife's attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices," Cisco Talos researcher Ashley Shen noted in a Thursday report. "It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates."

The cybersecurity company said it discovered DKnife as part of its ongoing monitoring of another Chinese threat activity cluster codenamed Earth Minotaur that's linked to tools like the MOONSHINE exploit kit and the DarkNimbus (aka DarkNights) backdoor. Interestingly, the backdoor has also been put to use by a third China-aligned advanced persistent threat (APT) group called TheWizards.

An analysis of DKnife's infrastructure has uncovered an IP address hosting WizardNet, a Windows implant deployed by TheWizards via an AitM framework referred to as Spellbinder. Details of the toolkit were documented by ESET in April 2025.

The targeting of Chinese-speaking users, Cisco said, hinges on the discovery of configuration files obtained from a single command-and-control (C2) server, raising the possibility that there could be other servers hosting similar configurations for different regional targeting.

This is significant in light of infrastructural connections between DKnife and WizardNet, as TheWizards is known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

Unlike WizardNet, DKnife is engineered to be run on Linux-based devices. Its modular architecture enables operators to serve a wide range of functions, ranging from packet analysis to traffic manipulation. Delivered by means of an ELF downloader, it contains seven different components -

"DKnife can harvest credentials from a major Chinese email provider and host p

Source: The Hacker News

🏷️ Tags

cybersecuritysecuritymalwareattackthreat

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views