THE All-in-One Spy: DKnife Malware Hijacks Routers to Swap Downloads, reported on 9 February 2026, describes a sophisticated AitM framework that has been active since 2019 and remains a threat today, according to Cisco Talos. According to Cisco Talos, it targets routers and edge devices, turning compromised gateways into checkpoints that can inspect and manipulate traffic before it reaches victims’ devices.
The framework is composed of seven Linux-based implants, including yitiji[.]bin, which creates a bridged network interface to secretly route attacker traffic. DKnife can hijack Android updates and spoof Windows download attempts by swapping legitimate updates or installers with malicious ones, while also blocking traffic from certain security tools.
The operation is linked to China-nexus threat actors and is designed to harvest credentials for Chinese mail services and exfiltrate data from apps such as WeChat and QQ. It delivers and interacts with ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android updates, and it often intercepts DNS requests directed at 1.1.1[.]1 to ensure the backdoors can phone home.