Researchers uncovered DKnife, a Linux-based gateway-monitoring and adversary-in-the-middle framework used by China-nexus actors since at least 2019 to perform deep packet inspection, manipulate traffic, and deliver malware via compromised routers and edge devices. The modular toolkit hijacks binary and Android update downloads to deploy backdoors like ShadowPad and DarkNimbus and harvests credentials from Chinese email services and mobile apps. #DKnife #DarkNimbus
Keypoints
- DKnife is a modular Linux-based AitM framework with seven components for DPI, traffic manipulation, and malware delivery.
- The toolkit focuses on Chinese-speaking users, harvesting credentials and intercepting updates for services like WeChat and major Chinese email providers.
- Operators use DKnife to hijack Android app updates and Windows binaries, delivering ShadowPad and DarkNimbus via DLL sideβloading and APK drops.
- Key components include sslmm.bin for TLS termination and credential extraction, dknife.bin for deep packet inspection and hijacking, and postapi.bin for reporting to C2.
- Infrastructure overlaps link DKnife to Earth Minotaur and WizardNet/TheWizards, highlighting the threat to routers and edge devices across the region.
Read More: https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html