ACCORDING to Cisco Talos, China-nexus threat actors have operated a gateway-monitoring and adversary-in-the-middle framework called DKnife since at least 2019, with seven Linux-based implants designed for deep packet inspection, traffic manipulation and malware delivery to routers and edge devices. The framework targets a wide range of devices including PCs, mobile devices and IoT, and is able to hijack updates and deliver backdoors such as ShadowPad and DarkNimbus by intercepting downloads and manifest requests.
DKnife’s modular components include dknife[.]bin for core deep packet inspection and traffic hijacking, postapi[.]bin for relaying traffic to the C2, sslmm[.]bin a TLS-terminating proxy, and several updater and forwarding modules like mmdown[.]bin, yitiji[.]bin, remote[.]bin and dkupdate[.]bin.
Talos notes that DKnife can harvest credentials from a major Chinese email provider and host phishing pages, with its activities linked to the Earth Minotaur cluster and related tools such as MOONSHINE and DarkNimbus; the same backdoor has also been used by TheWizards. The researchers also found WizardNet, a Windows implant tied to TheWizards, in relation to DKnife infrastructure, underscoring the focus on Chinese-speaking targets and traffic manipulation across routers and edge devices.