Cybersecurity researchers have uncovered a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework called DKnife that has been utilized by China-linked threat actors since 2019.
This framework consists of seven Linux-based implants that are designed to conduct deep packet inspection, manipulate traffic, and distribute malware through routers and edge devices. It appears to primarily target Chinese-speaking users, as indicated by the presence of phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile apps like WeChat, and references to Chinese media domains.
“DKnife’s attacks are aimed at a variety of devices, including PCs, mobile devices, and Internet of Things (IoT) devices,” noted Cisco Talos researcher Ashley Shen in a recent report. “It deploys and communicates with the ShadowPad and DarkNimbus backdoors by intercepting binary downloads and Android app updates.”
The cybersecurity firm identified DKnife during its monitoring of a Chinese threat activity cluster known as Earth Minotaur, which is associated with tools like the MOONSHINE exploit kit and the DarkNimbus backdoor. Interestingly, the DarkNimbus backdoor has also been utilized by another China-aligned advanced persistent threat (APT) group known as TheWizards.
An examination of DKnife’s infrastructure revealed an IP address hosting WizardNet, a Windows implant deployed by TheWizards through an AitM framework named Spellbinder. Details of this toolkit were previously disclosed by ESET in April 2025.
The focus on Chinese-speaking users by DKnife is supported by configuration files obtained from a single command-and-control (C2) server, suggesting the existence of additional servers hosting similar configurations for different regional targets.
This is significant due to the connections between DKnife and WizardNet, with TheWizards known for targeting individuals and the gambling sector in countries such as Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.
 |
| Functions of seven DKnife components |
Unlike WizardNet, DKnife is specifically designed to operate on Linux-based devices. Its modular structure allows operators to perform various functions, from packet analysis to traffic manipulation. The framework consists of seven components:
- dknife.bin – Responsible for deep packet inspection, user activity reporting, binary download interception, and DNS manipulation
- postapi.bin – A data reporting module that relays traffic from DKnife to remote C2
- sslmm.bin – A modified reverse proxy module that handles TLS termination, email decryption, and URL redirection
- mmdown.bin – An updater module that downloads APKs from a hardcoded C2 server for the attack
- yitiji.bin – A packet forwarder module that creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic
- remote.bin – A peer-to-peer (P2P) VPN client module for communication with remote C2
- dkupdate.bin – An updater and watchdog module for maintaining the components
“DKnife can extract credentials from a major Chinese email provider and host phishing pages for other services,” according to Talos. “The sslmm.bin component presents its own TLS certificate to clients, decrypts POP3/IMAP connections, and extracts usernames and passwords from the plaintext stream.”
“The extracted credentials are labeled ‘PASSWORD,’ sent to the postapi.bin component, and then relayed to remote C2 servers.”
The central component of the framework is “dknife.bin,” which enables deep packet inspection for activities such as covert monitoring and active attacks that replace legitimate downloads with malicious payloads. This includes:
- Serving updated C2 to Android and Windows variants of DarkNimbus malware
- Performing DNS-based hijacking for malicious redirects related to JD.com domains
- Intercepting and replacing Android app updates for Chinese news, video streaming, and e-commerce platforms
- Delivering the ShadowPad backdoor via DLL side-loading and loading DarkNimbus
- Interfering with communications from antivirus and PC-management products
- Monitoring user activity in real-time and reporting it to the C2 server
“Routers and edge devices are key targets in sophisticated cyber attacks,” Talos emphasized. “Understanding the tools and tactics used by threat actors is essential as they continue to target this infrastructure. The discovery of the DKnife framework showcases the advanced capabilities of modern AitM threats, combining deep-packet inspection, traffic manipulation, and customized malware delivery across various device types.”
