By rssfeeds-admin 
This adversary-in-the-middle (AitM) framework leverages seven Linux-based implants, enabling the attackers to manipulate network traffic, perform deep packet inspection (DPI), and deliver malicious software to compromised devices.
The DKnife framework has been active since at least 2019, and its command-and-control (C2) servers are still operational as of January 2026.
DKnife Framework Details
The primary targets of the DKnife attacks are a wide range of Linux-based devices, including PCs, mobile devices, and Internet of Things (IoT) devices. The framework uses multiple components, each designed to perform specific functions.
The most notable functions include hijacking Android and Windows application updates and distributing backdoors like ShadowPad and DarkNimbus. These backdoors are used to establish remote access and steal sensitive information.
DKnife has a significant connection to other cyber campaigns. One of the most critical links discovered by Talos is the connection between DKnife and the WizardNet backdoor, which was previously linked to another AitM framework called Spellbinder.
This shared infrastructure points to a possible operational or developmental connection between the two frameworks.
One of the most striking features of DKnife is its targeted approach to Chinese-speaking users. Evidence of this targeting includes harvesting credentials for Chinese-language services and exfiltrating data from popular Chinese mobile applications such as WeChat.
Additionally, the configuration files found in DKnife contain references to Chinese media domains, further confirming that China-nexus threat actors likely operate the tool.
While the majority of the evidence points to Chinese targets, it is worth noting that some aspects of the DKnife campaign, particularly those linked to the WizardNet backdoor, suggest that the actors might be operating on a broader regional scale, affecting countries outside of China, such as the Philippines, Cambodia, and the UAE.
Deep Packet Inspection and DNS Hijacking
The DKnife framework relies heavily on deep packet inspection to carry out its attacks. Once a device is compromised, DKnife can monitor traffic in real-time and perform DNS hijacking.
This hijacking allows the attackers to redirect traffic and manipulate communication between compromised devices and legitimate websites.
For example, DKnife can intercept Android application update requests. When a user’s device requests an update, DKnife hijacks the manifest and replaces it with a malicious download, ultimately delivering a backdoor onto the device.
This method is highly effective because it appears to the victim that they are downloading a legitimate update.
Talos Intelligence said, DKnife’s capabilities also extend to hijacking Windows binary downloads. It has been shown to manipulate download URLs and inject malware into the victim’s system, either by replacing legitimate software installers with malicious ones or redirecting them to malware-laden sites.
Together, these components form a highly efficient attack platform, capable of hijacking traffic, delivering malware, and extracting valuable user data.
Through DNS manipulation and Android application update hijacking, DKnife can target both individual users and organizations, silently delivering backdoors and compromising sensitive information.
The discovery of DKnife reveals a new level of sophistication in cyberattacks, where adversaries leverage deep packet inspection, traffic manipulation, and custom malware delivery to compromise network devices.
As these threats evolve, it’s clear that routers, edge devices, and other network infrastructure must be closely monitored to detect and mitigate them.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Chinese APT Group Uses Linux Exploits To Redirect Traffic and Deploy Malicious Software appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.