DKnife toolkit abuses routers to spy and deliver malware since 2019

DKnife is a Linux toolkit used since 2019 to hijack router traffic and deliver malware in cyber-espionage attacks.

Cisco Talos found DKnife, a powerful Linux toolkit that threat actors use to spy on and control network traffic through routers and edge devices. It inspects and alters data in transit and installs malware on PCs, phones, and IoT devices.

“Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.” reads the report published by Talos. “Based on the artifact metadata, DKnife has been used since at least 2019 and the command and control (C2) are still active as of January 2026.”

DKnife hijacks software downloads and Android app updates to spread ShadowPad and DarkNimbus backdoors. The toolkit focuses on Chinese-speaking users, steals credentials from Chinese services, and targets popular Chinese apps. Talos researchers link DKnife with high confidence to China-nexus threat actors.

Since 2023, Cisco Talos has tracked the MOONSHINE exploit kit and the DarkNimbus backdoor used to deliver mobile exploits. While analyzing DarkNimbus, Talos uncovered DKnife, a gateway-monitoring and adversary-in-the-middle toolkit hidden inside a compressed archive fetched from the same C2 server. Metadata shows attackers have used DKnife since at least 2019, and its infrastructure remained active in January 2026. Talos also linked DKnife to WizardNet campaigns after finding shared servers hosting both tools. WizardNet, delivered through Spellbinder’s traffic-hijacking attacks, uses the same update-hijacking methods, URL paths, and ports as DKnife, pointing to a common development or operational lineage.

Evidence from DKnife shows that attackers mainly focus on Chinese-speaking users. The malware collects credentials from Chinese email services and steals data from popular Chinese mobile apps and messaging platforms such as WeChat. Code and configuration files reference Chinese media domains, and attackers even hijacked Android app updates for Chinese taxi and rideshare apps. Talos analyzed configs from one C2 server, so operators may use other servers to target different regions. Links to WizardNet, which previously hit the Philippines, Cambodia, and the UAE, suggest a wider regional scope is possible.

Multiple artifacts point to Chinese-speaking operators. Developers wrote comments and activity labels in Simplified Chinese. One core module is named “yitiji,” the pinyin term for “all-in-one,” which routes traffic through a single local interface. The framework consists of seven Linux ELF components designed for routers and edge devices, especially CentOS/RHEL systems.

DKnife performs deep packet inspection, hijacks DNS, intercepts Android and Windows updates, disrupts security traffic, monitors users, and delivers ShadowPad and DarkNimbus backdoors. It redirects update requests to a local malicious server and replaces legitimate downloads with malware, giving attackers full control at the network edge.

DKnife does not only hijack Android updates. It also intercepts Windows and other binary downloads to deliver ShadowPad and DarkNimbus malware. The tool loads encrypted hijacking rules, decrypts them with a QQ TEA–based key, and deletes them after use. When a victim downloads files like .exe or .zip, DKnife redirects the request to a malicious installer. That installer sideloads ShadowPad and DarkNimbus, then secretly connects to the attackers’ real command servers. The malware uses techniques and certificates linked to China-nexus threat actors.

DKnife actively weakens security defenses and spies on users. It detects antivirus and PC-management tools like 360 Total Security and Tencent services, then blocks or disrupts their traffic to reduce protection.

“The DKnife traffic inspection module actively identifies and interferes with communications from antivirus and PC-management products. It detects 360 Total Security by searching HTTP headers (e.g., the DPUname header in GET requests or the x-360-ver header in POST requests) and by matching known service domain names.” reads the report. “When a match is found, the module drops or otherwise disrupts the traffic with the crafted TCP RST packet. It similarly looks for and disrupts connections to Tencent services and PC-management endpoints. “

At the same time, it closely monitors user activity, tracking actions such as messaging on WeChat and Signal, shopping, reading news, map searches, gaming, dating apps, and ride-hailing. The malware also steals credentials by intercepting encrypted email connections and hosting phishing pages. Researchers also found signs it may target IoT devices, and vendors are working on mitigations.

The DKnife downloader is an ELF binary that installs and initializes the full DKnife framework on a compromised Linux device. It sets the C2 server (from a local config or a hardcoded fallback), generates a unique device ID, enables persistence at boot, downloads the DKnife package, and launches all components automatically. Its role is to prepare the environment, maintain persistence, and deploy the full toolset.

DKnife components are:

1. dknife.bin – DPI & attack engine
   Core module that inspects traffic and runs attacks such as DNS hijacking, binary and APK download hijacking, and user activity monitoring.
2. postapi.bin – Data reporter
   Labels captured traffic and sends collected data and events to the remote C2.
3. sslmm.bin – Reverse proxy
   Modified HAProxy module that terminates TLS, decrypts email traffic, and reroutes URLs for interception and phishing.
4. mmdown.bin – Malicious APK updater
   Connects to the C2 to download and deliver weaponized Android application updates.
5. yitiji.bin – Packet forwarder
   Creates a bridged interface on the router to host and route attacker-injected LAN traffic.
6. remote.bin – P2P VPN client
   Builds a peer-to-peer communication tunnel to the remote C2 using a customized N2N VPN.
7. dkupdate.bin – Updater & watchdog
   Keeps all components running and updated, restarting them if they stop.

“Routers and edge devices remain prime targets in sophisticated targeted attack campaigns. As threat actors intensify their efforts to compromise this infrastructure, understanding the tools and TTPs they employ is critical.” concludes the report. “The discovery of the DKnife framework highlights the advanced capabilities of modern AitM threats, which blend deep‑packet inspection, traffic manipulation, and customized malware delivery across a wide range of device types. Overall, the evidence suggests a well‑integrated and evolving toolchain of AitM frameworks and backdoors, underscoring the need for continuous visibility and monitoring of routers and edge infrastructure. “

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, DKnife)