Cybersecurity researchers have uncovered DKnife, a sophisticated gateway-monitoring and adversary-in-the-middle framework utilized by Chinese threat actors since 2019 to target edge devices. The toolkit specializes in deep packet inspection and traffic manipulation to deliver malware, primarily focusing on Chinese-speaking users through localized phishing and application hijacking.

Researchers have identified DKnife as a collection of seven Linux-based implants engineered to infiltrate routers and other network gateways. By positioning itself at the network edge, the framework can intercept data through deep packet inspection and modify traffic in real-time. This capability allows the actors to deliver malicious payloads to a variety of devices, including personal computers, mobile phones, and internet of things hardware, by hijacking legitimate binary downloads and software updates.

The primary objective of the DKnife operations appears to be the surveillance and exploitation of Chinese-language users and platforms. Evidence for this regional focus includes the use of credential harvesting pages specifically designed for Chinese email providers and exfiltration modules tailored for mobile apps like WeChat. Furthermore, the underlying code contains numerous references to Chinese media domains, suggesting a highly specialized campaign aimed at domestic or regional targets.

Cisco Talos linked DKnife to a broader ecosystem of Chinese cyber activity, specifically connecting it to a cluster known as Earth Minotaur. The framework facilitates the deployment of secondary backdoors such as ShadowPad and DarkNimbus by intercepting Android application updates and other file transfers. This discovery highlights how Chinese state-aligned actors share resources, as the DarkNimbus backdoor has also been observed in campaigns managed by a separate group known as TheWizards.

The investigation into DKnife's infrastructure revealed significant overlaps with other established threat toolkits, most notably a Windows implant called WizardNet. Analysts discovered shared IP addresses between DKnife and the infrastructure used by TheWizards to deploy malware via their own adversary-in-the-middle framework. These connections suggest a collaborative or centralized resource pool among different Chinese advanced persistent threat groups operating in the region.

While current findings emphasize the targeting of Chinese speakers based on configurations from a single command-and-control server, experts warn that the scope may be much broader. Given the infrastructure ties to groups that target the gambling sector and various industries across Southeast Asia and the Middle East, it is possible that additional servers exist with configurations for different regions. DKnife represents a persistent and evolving threat to network integrity that relies on the strategic positioning of implants at the gateway level.

Source: China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking