Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
Essential information
- Published
- 05/02/2026 20:16
- Modified
- 06/02/2026 16:58
- Tags
- 2026-02-05 aitm china-nexus darknimbus dknife dns hijacking gateway-monitoring poisonplug.shadow shadowpad traffic manipulation wizardnet
- Related entities
- 80 observables, 1 intrusion sets (apt), 4 malware, 4 others
Description
Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.