Executive Summary

The DKnife Linux toolkit represents a significant escalation in adversary-in-the-middle (AitM) threats targeting network infrastructure. This modular, China-nexus malware framework is engineered to compromise Linux-based routers and edge devices, enabling attackers to intercept, manipulate, and exfiltrate network traffic at the gateway level. By leveraging deep packet inspection, DNS hijacking, credential harvesting, and malicious payload delivery, DKnife facilitates persistent surveillance and secondary infection of endpoints within the compromised network. The toolkit has been observed in active campaigns since at least 2019, with ongoing operations as of early 2026. Its deployment is closely associated with advanced persistent threat (APT) groups utilizing the ShadowPad and DarkNimbus backdoors, and it is part of a broader ecosystem of Chinese APT toolchains. The sophistication and modularity of DKnife make it a critical threat to organizations relying on Linux-based network infrastructure, particularly in sectors and regions of strategic interest to China-nexus actors.

Threat Actor Profile

Attribution of the DKnife toolkit is assessed with high confidence to China-nexus APT groups. The operational infrastructure, code artifacts, and targeting patterns align with previously documented campaigns involving ShadowPad, DarkNimbus, and the WizardNet backdoor. These groups are known for their focus on espionage, supply chain compromise, and long-term access to high-value networks. The actors behind DKnife demonstrate advanced capabilities in network protocol manipulation, cross-platform malware development, and stealthy command-and-control (C2) operations. Their campaigns have primarily targeted Chinese-speaking users and organizations, but infrastructure overlaps and TTPs (tactics, techniques, and procedures) indicate broader regional ambitions, including operations in Southeast Asia and the Middle East. The use of DKnife in conjunction with other modular frameworks such as Spellbinder and WizardNet underscores the threat actors' emphasis on persistence, flexibility, and layered access within target environments.

Technical Analysis of Malware/TTPs

DKnife is a multi-component Linux malware suite, comprising at least seven 64-bit ELF binaries, each responsible for distinct aspects of the attack lifecycle. The core implant, dknife.bin, functions as the DPI and attack engine, intercepting and manipulating network traffic traversing the compromised device. It is supported by auxiliary modules such as postapi.bin for data exfiltration, sslmm.bin for reverse proxy and phishing operations, mmdown.bin for malicious APK delivery, yitiji.bin for LAN traffic injection via TAP interfaces, remote.bin for P2P VPN-based C2, and dkupdate.bin for persistence and self-updating.

The toolkit achieves persistence by modifying /etc/rc.local and storing its binaries in /dksoft/update/, with unique UUIDs assigned per infected device. DKnife is platform-agnostic within the Linux ecosystem, targeting routers and edge devices running CentOS, RHEL, and similar distributions. The remote.bin component's reliance on libcrypto.so.10 further suggests a focus on CentOS/RHEL-based firmware.

DKnife's AitM capabilities are extensive. It performs deep packet inspection to monitor and manipulate all network traffic, including DNS responses, HTTP/HTTPS sessions, and application-layer protocols. DNS hijacking is used to redirect requests for targeted domains (such as api.m.jd.com) to attacker-controlled infrastructure, enabling the delivery of trojanized Windows executables and Android APKs. The toolkit can intercept and replace legitimate software updates with malicious payloads, facilitating the deployment of ShadowPad, DarkNimbus, and other backdoors onto endpoints within the network.

Credential harvesting is a core function, with DKnife extracting email credentials (POP3/IMAP over TLS), as well as credentials for popular Chinese messaging and social media platforms (WeChat, QQ, Signal). The sslmm.bin module acts as a reverse proxy, terminating TLS sessions and hosting phishing pages to capture user credentials in real time. The toolkit also disrupts connections to security products such as 360 Total Security and Tencent antivirus, reducing the likelihood of detection and remediation.

C2 communications are maintained via hardcoded IP addresses and domains, including 47.93.54[.]134:8005 and 43.132.205[.]118:81, as well as a resilient P2P VPN overlay using the N2N protocol. The use of self-signed certificates issued by 四川奇雨网络科技有限公司 (Sichuan Qiyu Network Technology Co., Ltd.) and unique network artifacts (e.g., TAP interface at 10.3.3.3, MAC 1E:17:8E:C6:56:40) further distinguish DKnife infections.

Exploitation in the Wild

DKnife has been actively deployed since at least 2019, with live C2 infrastructure and ongoing campaigns confirmed as of January 2026. The primary targeting focus has been on Chinese-speaking users and organizations, particularly those utilizing Chinese-language services and applications. However, analysis of related infrastructure and malware samples reveals secondary targeting in the Philippines, Cambodia, and the United Arab Emirates, often via the WizardNet and Spellbinder frameworks.

The exploitation lifecycle typically begins with the compromise of a Linux-based router or edge device, either via exploitation of public-facing services (MITRE ATT&CK T1190), credential reuse (T1078), or supply chain compromise. Once installed, DKnife establishes persistence and begins intercepting network traffic, enabling the attackers to conduct credential harvesting, malware delivery, and real-time surveillance. The toolkit's ability to hijack software updates and application downloads allows for rapid lateral movement and secondary infection of Windows and Android endpoints within the compromised network.

Incident reports from Cisco Talos, ESET, and other public sources document the use of DKnife in conjunction with ShadowPad and DarkNimbus payloads, as well as the deployment of phishing pages targeting popular Chinese services. The modularity and stealth of DKnife have enabled it to evade detection for extended periods, with some infections persisting for years before discovery.

Victimology and Targeting

The primary victims of DKnife campaigns are organizations and individuals in China and the broader Chinese-speaking world, particularly those in telecommunications, government, and critical infrastructure sectors. The toolkit's focus on intercepting traffic to Chinese-language services (WeChat, QQ, JD.com, etc.) and harvesting credentials for these platforms underscores its alignment with China-nexus espionage objectives.

Secondary targeting has been observed in Southeast Asia and the Middle East, with infrastructure overlaps and shared TTPs linking DKnife to campaigns in the Philippines, Cambodia, and the UAE. The generic and modular nature of the toolkit allows it to infect a wide range of Linux-based routers and edge devices, making it a threat to any organization relying on such infrastructure, regardless of geographic location.

Indirect victims include Windows and Android endpoints on the same network as a compromised router, as DKnife is capable of hijacking legitimate software updates and application downloads to deliver secondary malware payloads.

Mitigation and Countermeasures

Mitigating the threat posed by DKnife requires a multi-layered approach focused on both network infrastructure and endpoint security. Organizations should deploy network intrusion detection and prevention systems (IDS/IPS) with up-to-date signatures for DKnife, ShadowPad, DarkNimbus, and related malware. Regular verification of router and edge device firmware integrity is essential, as is the use of secure, authenticated update channels for all network devices.

Strict TLS certificate validation (certificate pinning) should be enforced on endpoints to prevent adversary-in-the-middle attacks. Network segmentation can limit the lateral movement of attackers and reduce the impact of a compromised edge device. Organizations should monitor for connections to known C2 infrastructure, including the IPs and domains listed in public IOC repositories, and block these at the network perimeter.

Administrators are advised to review device startup scripts (such as /etc/rc.local) and file system locations (/dksoft/update/) for unauthorized modifications or the presence of suspicious binaries. Any detection of the unique TAP interface (10.3.3.3, MAC 1E:17:8E:C6:56:40) or self-signed certificates from 四川奇雨网络科技有限公司 should be treated as a high-confidence indicator of compromise.

Finally, organizations should ensure that all credentials potentially exposed via DKnife (email, messaging, VPN, etc.) are rotated and that multi-factor authentication is enforced wherever possible.

References

Cisco Talos: Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

BleepingComputer: DKnife Linux toolkit hijacks router traffic to spy, deliver malware

TheHackerNews: China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking

SecurityWeek: 'DKnife' Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks

ESET: WizardNet Backdoor Analysis

Cisco Talos IOCs GitHub: https://github.com/Cisco-Talos/IOCs

About Rescana

Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our platform leverages real-time threat intelligence, automated risk scoring, and actionable insights to help security teams stay ahead of emerging threats and ensure the resilience of their critical infrastructure. For questions or further information, we are happy to assist at ops@rescana.com.