DKNIFE is a Linux toolkit used since 2019 to hijack router traffic and deliver malware in targeted cyber-espionage campaigns, according to Cisco Talos. It functions as a gateway-monitoring and adversary-in-the-middle framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and install ShadowPad and DarkNimbus backdoors on PCs, phones and IoT devices.
The toolkit hijacks software downloads and Android app updates, intercepts Windows and other binaries, and redirects them to malicious installers that covertly connect back to the attackers’ command servers. It also tampers with security software, detecting products like 360 Total Security and Tencent services and disrupting their traffic to reduce protection.
Talos notes that artefacts link DKnife to China-nexus threat actors, with activity observed as recently as January 2026, and that the framework is closely related to WizardNet campaigns through shared infrastructure.