Cisco Talos just pulled back the curtain on DKnife, one of the most sophisticated adversary-in-the-middle (AitM) frameworks we've seen from China-nexus actors in years. Active since at least 2019, this Linux-based toolkit turns compromised routers and edge devices into powerful spying and delivery platforms, primarily aimed at Chinese-speaking users, but with the flexibility to pivot anywhere.
Think of it as a full-featured ISP-in-the-middle attack, but run by state-aligned hackers from inside the network perimeter.
The framework consists of seven tightly integrated ELF binaries that transform an infected router into a surveillance powerhouse:
1. dknife.bin , The brain: deep packet inspection, real-time user activity monitoring (WeChat calls, Signal messages, shopping habits, dating apps, taxi requests, literally everything), binary hijacking, and DNS poisoning.
2. postapi.bin , Exfil relay to C2
3. sslmm.bin , Modified HAProxy that performs full TLS termination, decrypts email (POP3/IMAP), and serves fake login pages for major Chinese providers
4. mmdown.bin , Pulls malicious APKs from C2
5. yitiji.bin , Creates a rogue TAP bridge to inject traffic into the LAN
6. remote.bin , P2P VPN client for stealthy C2 reach-back
7. dkupdate.bin , Watchdog and auto-updater
What makes DKnife genuinely scary is how precisely it weaponizes everyday traffic:
1. It intercepts legitimate Android app updates (news, video streaming, e-commerce, even porn apps) and silently replaces them with trojanized versions carrying DarkNimbus (aka DarkNights).
2. It hijacks Windows binary downloads and forces ShadowPad via DLL side-loading, which then loads DarkNimbus.
3. It spoofs DNS for JD.com domains and serves updated C2 to already-infected DarkNimbus implants.
4. It actively interferes with Chinese AV products like 360 Total Security and Tencent PC Manager to stay hidden.
Talos discovered DKnife while tracking Earth Minotaur (the cluster behind MOONSHINE exploit kit and DarkNimbus), but found infrastructure overlap with TheWizards APT, the group behind the Windows-focused WizardNet/Spellbinder AitM framework exposed by ESET in April 2025. Same C2 IP hosting both toolkits. That's not coincidence; it's resource sharing among elite Chinese state contractors.
The heavy focus on Chinese services (WeChat exfil modules, domestic email phishing kits, news/media app hijacks) strongly suggests these particular DKnife instances were deployed inside China or against Chinese diaspora. But the modular design means operators can swap config files tomorrow and pivot to any region, TheWizards already hits gambling rings across Southeast Asia and the UAE.
In plain terms: if your router is compromised by DKnife, the attackers see everything unencrypted, rewrite your downloads in flight, and own every device on your network before you even know you're infected.
Routers have officially graduated from mere stepping stones to prime, high-value persistence platforms for nation-state actors. Patch them, segment them, monitor them or better yet, treat them as hostile if they're exposed to the internet.
Source: The Hacker News
February 07, 2026
February 07, 2026
February 07, 2026
October 07, 2024
September 28, 2024
January 30, 2026
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
