“DKnife,” a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework that turns Linux-based routers and edge devices into surveillance tools.
Active since at least 2019, this campaign employs seven distinct Linux implants to inspect network traffic, hijack legitimate software downloads, and deploy advanced malware.
The framework remains active as of January 2026, targeting personal computers, mobile phones, and Internet of Things (IoT) devices
DKnife is not a simple backdoor; it is a comprehensive suite designed for deep packet inspection (DPI) and traffic manipulation. The framework consists of seven components (ELF binaries) that work together to compromise a network.
The core engine, dknife.bin, monitors user activity and identifies specific traffic to intercept. A unique component named yitiji.bin derived from the Chinese term “Yitiji,” meaning “all-in-one machine” creates a virtual network interface (10.3.3.3) on the infected device.
This effectively builds a fake local network, allowing the attackers to route hijacked traffic through a controlled environment without alerting the user.
Other components handle data exfiltration (postapi.bin), encrypted tunnel communications (remote.bin), and persistent updates (dkupdate.bin).
Hijacking Updates to Deliver Malware
The primary danger of DKnife is its ability to perform AitM attacks against software updates. When a user on a compromised network attempts to download a legitimate file or update an Android application, DKnife intercepts the request.
The crafted AAAA response is not an actual public address. When DKnife sees traffic addressed to that crafted IPv6, it checks the last 8 bytes of the address and converts it to the local interface address 10.3.3.3.
For Android devices, the framework modifies the “manifest” files used by update services, redirecting the download to the attacker’s server instead of the legitimate vendor.
For Windows users, it uses HTTP redirects to replace harmless binaries with malicious ones. These attacks deliver two primary backdoors:
- ShadowPad: A modular remote access trojan widely used by Chinese espionage groups.
- DarkNimbus: A surveillance tool capable of targeting multiple platforms.
Extracted credentials are tagged with “PASSWORD”, forwarded tthe postapi.bin component, and ultimately relayed to remote C2 servers.
In one observed case, attackers replaced a legitimate executable (TosBtKbd.exe) with a version that sideloaded the ShadowPad malware.
Targeting Chinese Users
Talos researchers notes with high confidence that DKnife is operated by China-nexus threat actors. The code and configuration files contain multiple references to Simplified Chinese, including the “Yitiji” naming convention.
The system creates detailed reports on users’ “internet actions,” such as sending files or adding friends on these platforms.
Furthermore, the framework is explicitly tuned to monitor and exploit Chinese services. It includes specific modules to harvest credentials from Chinese email providers and tracks user activity on popular apps like WeChat and QQ.
The investigation revealed a direct infrastructure link between DKnife and “WizardNet,” another malware campaign.
Talos found that a DKnife command-and-control (C2) server (43.132.205[.]118) was also hosting WizardNet, a backdoor previously disclosed by ESET in April 2025.
WizardNet is known to be deployed by “Spellbinder,” a different AitM framework that uses similar techniques to hijack updates. This overlap suggests that different Chinese hacking groups may share development resources or operational tactics.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.