Cybersecurity researchers have unveiled a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework called DKnife, operated by China-nexus threat actors since at least 2019. This advanced toolset represents a significant evolution in router and edge device compromise tactics, combining deep packet inspection, traffic manipulation, and strategic malware deployment capabilities.

Understanding the DKnife Threat

The DKnife framework comprises seven Linux-based implants specifically engineered to compromise routers and edge devices. Cisco Talos researcher Ashley Shen described the framework's comprehensive approach: "DKnife's attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates."

What makes DKnife particularly concerning is its targeting focus. The framework primarily targets Chinese-speaking users, evidenced by credential harvesting phishing pages for Chinese email services, exfiltration modules for popular applications like WeChat, and code references to Chinese media domains. However, the modular nature of the infrastructure suggests that different regional targeting could be achieved through alternative server configurations.

The Discovery and Attribution

Cisco Talos discovered DKnife while monitoring Earth Minotaur, a Chinese threat activity cluster associated with tools like the MOONSHINE exploit kit and the DarkNimbus (DarkNights) backdoor. The investigation revealed infrastructural connections to WizardNet, a Windows implant deployed by TheWizards threat group via their own AitM framework called Spellbinder.

This connection is particularly significant because TheWizards is known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates. The overlap suggests either collaboration between threat groups or shared infrastructure and tooling.

The Seven Components of DKnife

DKnife's architecture demonstrates sophisticated engineering and operational planning. Unlike WizardNet's Windows focus, DKnife specifically targets Linux-based devices, making it ideal for compromising routers and edge infrastructure. The framework consists of seven distinct modules:

1. dknife.bin - The Core Component: This serves as the central nervous system of the framework, responsible for deep packet inspection, user activity reporting, binary download hijacking, and DNS hijacking. It's the primary engine driving the framework's malicious capabilities.

2. postapi.bin - Data Reporter: This module acts as a relay, receiving traffic from DKnife and forwarding it to remote command-and-control servers, ensuring operators maintain visibility into compromised systems.

3. sslmm.bin - Reverse Proxy: Modified from HAProxy, this component performs TLS termination, email decryption, and URL rerouting. It's particularly dangerous as it can intercept and decrypt supposedly secure communications.

4. mmdown.bin - Updater Module: This connects to hard-coded C2 servers to download Android APKs used in attacks, ensuring the framework maintains access to current malicious payloads.

5. yitiji.bin - Packet Forwarder: This module creates a bridged TAP interface on compromised routers to host and route attacker-injected LAN traffic, effectively giving attackers a foothold within the internal network.

6. remote.bin - P2P VPN Client: This establishes a peer-to-peer communication channel to remote C2 servers, providing resilient and covert command channels.

7. dkupdate.bin - Watchdog: This updater and watchdog module ensures all components remain operational, automatically restarting failed modules to maintain persistence.

Sophisticated Attack Capabilities

DKnife's capabilities extend far beyond simple network monitoring. The framework can harvest credentials from major Chinese email providers by presenting its own TLS certificates, terminating and decrypting POP3/IMAP connections, and extracting usernames and passwords from plaintext streams. These credentials are tagged with 'PASSWORD' markers and relayed to C2 servers.

The core dknife.bin component enables operators to conduct extensive traffic monitoring and active in-line attacks, including:

  • Backdoor Communication: Serving updated C2 information to Android and Windows variants of DarkNimbus malware
  • DNS Hijacking: Conducting Domain Name System hijacking over both IPv4 and IPv6 to facilitate malicious redirects for JD.com-related domains
  • Application Update Hijacking: Intercepting and replacing Android application updates for Chinese news media, video streaming, image editing apps, e-commerce platforms, taxi services, gaming, and adult content apps
  • Binary Replacement: Hijacking Windows and other binary downloads to deliver ShadowPad backdoor via DLL side-loading, which then loads DarkNimbus
  • Security Software Interference: Disrupting communications from antivirus and PC-management products, including 360 Total Security and Tencent services

Real-Time User Surveillance

Perhaps most concerning is DKnife's ability to monitor user activity in real-time and categorize it for intelligence gathering. The framework tracks and reports activities across multiple categories:

  • Messaging applications (including voice/video calls, texts, received images, in-app article views on Signal and WeChat)
  • Shopping and e-commerce activities
  • News consumption patterns
  • Map searches and location queries
  • Video streaming behavior
  • Gaming activities
  • Dating app usage
  • Taxi and rideshare requests
  • Email checking patterns

This comprehensive surveillance capability provides threat actors with detailed intelligence about target users' daily lives, interests, and communication patterns.

The Broader Context

The discovery of DKnife highlights the critical vulnerability of routers and edge devices in modern cybersecurity. As Cisco Talos noted: "Routers and edge devices remain prime targets in sophisticated targeted attack campaigns. As threat actors intensify their efforts to compromise this infrastructure, understanding the tools and TTPs they employ is critical."

This threat comes at a time when multiple agencies are warning about edge device vulnerabilities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently ordered Federal agencies to remove unsupported edge devices, citing the exact type of compromise that DKnife represents.

Protection and Mitigation

Organizations should take immediate steps to protect against DKnife and similar threats:

  • Maintain up-to-date firmware on all routers and edge devices
  • Replace end-of-life network equipment that no longer receives security updates
  • Implement network segmentation to limit the impact of edge device compromise
  • Monitor for unusual traffic patterns and DNS queries
  • Use encrypted DNS (DNS-over-HTTPS or DNS-over-TLS) to prevent DNS hijacking
  • Deploy network intrusion detection systems to identify suspicious packet manipulation
  • Regularly audit connected devices and remove unknown or suspicious equipment

Conclusion

The DKnife framework represents a sophisticated evolution in network infrastructure attacks. Its modular design, comprehensive surveillance capabilities, and strategic targeting of routers and edge devices make it a formidable threat. The discovery underscores that modern AitM threats are no longer simple interceptors but complex platforms that blend deep packet inspection, traffic manipulation, and customized malware delivery across diverse device ecosystems.

As China-nexus threat actors continue to develop and deploy such frameworks, organizations must prioritize the security of their network infrastructure. The perimeter is only as strong as its weakest edge device, and DKnife demonstrates exactly how sophisticated actors are exploiting this fundamental truth.

Source: The Hacker News - China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery