DKNIFE is a gateway-monitoring and adversary-in-the-middle framework used by a China-linked threat actor, active since at least 2019, to deliver and interact with backdoors on desktop, mobile, and IoT devices of Chinese users. The framework comprises seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery, and it targets Chinese-speaking users with backdoors such as ShadowPad and DarkNimbus.
DarkNimbus, also known as DarkNights, is supplied by the Chinese firm UPSEC, which has been linked to TheWizards and the Spellbinder AitM framework; Talos notes overlaps between DKnife and Spellbinder TTPs. According to Cisco, there are indications of a shared development or operational lineage, with WizardNet backdoors distributed by DKnife.
DKnif e can monitor and manipulate network traffic, update backdoors, hijack DNS and Android app updates, exfiltrate user activity, intercept Windows binaries, deploy ShadowPad and DarkNimbus, and even steal credentials from a major Chinese email provider by hijacking encrypted connections, while also serving phishing pages.