Researchers at Cisco Talos uncovered DKnife, an ELF-based post-compromise toolkit used since 2019 to hijack edge devices and perform deep packet inspection, traffic manipulation, and targeted malware delivery. The framework’s seven Linux components enable DNS and update hijacking, credential harvesting, and delivery of backdoors such as ShadowPad and DarkNimbus, and Talos attributes the activity to a China-nexus threat actor. #DKnife #ShadowPad
Keypoints
- DKnife is an ELF framework with seven Linux components for DPI, traffic manipulation, credential harvesting, and malware delivery.
- The toolkit creates a bridged TAP interface on routers (10.3.3.3) to intercept and rewrite packets destined for endpoints.
- Core modules include dknife.bin (inspection), sslmm.bin (HAProxy-derived reverse proxy), yitiji.bin (virtual TAP), remote.bin (n2n VPN), mmdown.bin (Android downloader), postapi.bin, and dkupdate.bin.
- Researchers observed DKnife delivering ShadowPad and DarkNimbus backdoors and found WizardNet hosted on the same infrastructure.
- Capabilities include DNS and app-update hijacking, POP3/IMAP credential theft, phishing hosting, anti-virus traffic disruption, and detailed monitoring of WeChat and other user activity.