Cisco Talos researchers have disclosed a sophisticated adversary-in-the-middle (AitM) framework dubbed “DKnife” that enables China-nexus threat actors to intercept, manipulate, and weaponize network traffic at the gateway level. The framework has been operational since at least 2019 and its command and control infrastructure remains active as of January 2026.
Seven Linux Implants for Deep-Packet Inspection
DKnife comprises seven ELF-based Linux implants designed to run on router and edge devices. These components work together to perform deep-packet inspection, DNS hijacking, traffic manipulation, and malware delivery. The framework’s modular architecture allows operators to conduct campaigns ranging from covert monitoring to active inline attacks that replace legitimate downloads with malicious payloads.
Configuration elements including PPPoE, VLAN tagging, bridged interfaces (br0), and adjustable MTU and MAC parameters indicate that DKnife is tailored specifically for Linux-based firmware on edge networking devices.
Delivering ShadowPad and DarkNimbus Backdoors
The framework serves as a C2 infrastructure for both Android and Windows variants of the ShadowPad and DarkNimbus backdoors. For Windows variants, DKnife inspects UDP traffic and responds to specific markers with C2 server information. For Android variants, the backdoor contacts what appears to be a Baidu URL that DKnife intercepts to inject C2 configuration.
Talos’ discovery validates earlier hypotheses from Trend Micro research that DarkNimbus operated within an AitM environment.
Hijacking Binary Downloads and Android Updates
DKnife intercepts Android application update manifest requests and substitutes them with malicious responses redirecting to attacker-controlled URLs. The framework’s configuration includes 185 JSON files targeting popular Chinese-language applications including news media, video streaming, e-commerce platforms, taxi services, and gaming applications.
The DNS hijacking capabilities support both IPv4 and IPv6 protocols. For configured domains, DKnife injects responses pointing to internal addresses (10.3.3.3) created by the yitiji.bin component, routing victims to malware delivery infrastructure.
Link to WizardNet Campaigns
During infrastructure pivoting, Talos identified a host exhibiting DKnife port activity that also hosted the WizardNet backdoor. WizardNet, first disclosed by ESET in April 2025, is deployed via the Spellbinder framework which performs AitM attacks using IPv6 SLAAC spoofing.
The URL redirection paths and port configurations are identical to those used by DKnife, suggesting a shared development or operational lineage between the two frameworks. ESET’s reporting indicates WizardNet activity has targeted the Philippines, Cambodia, and the United Arab Emirates.
Indicators of Chinese-Speaking Threat Actors
Multiple artifacts confirm the developers and operators are native Simplified Chinese speakers:
- Configuration files contain extensive Simplified Chinese comments
- The “yitiji.bin” component name is Pinyin for “一体机” (all-in-one)
- Activity reports to C2 servers use Simplified Chinese message labels
- Targeting focuses on Chinese-language services including WeChat
Based on the language artifacts, targeting patterns, and the ShadowPad malware association, Talos assesses with high confidence that China-nexus threat actors operate DKnife.
Defensive Recommendations
Organizations should implement the following measures to defend against gateway-level AitM attacks:
- Monitor edge devices and routers for unauthorized modifications or suspicious ELF binaries
- Implement certificate pinning for critical application updates
- Use encrypted DNS (DoH/DoT) to prevent DNS hijacking
- Validate firmware integrity on network devices
- Monitor for unusual traffic patterns indicating AitM activity
The full technical analysis including indicators of compromise is available in Cisco Talos’ detailed report.
