Cisco Talos has disclosed the discovery of DKnife, a modular Linux-based post‑exploitation framework that has been quietly abused since at least 2019 to compromise routers and network gateways. Once deployed, DKnife converts network infrastructure into a powerful man‑in‑the‑middle (MitM) platform capable of intercepting, modifying and rerouting user traffic with minimal disruption and low detection probability.
DKnife Linux malware: shifting attacks from endpoints to routers
Unlike traditional malware that focuses on laptops, servers or mobile devices, DKnife explicitly targets network infrastructure — edge routers, border gateways and other Linux‑based appliances that handle large volumes of traffic. By occupying this strategic position, attackers gain visibility over many internal hosts simultaneously, bypassing endpoint‑centric security controls.
The framework is designed to operate transparently in the data path. It can inspect packets in real time, apply complex rules to decide which connections to manipulate, and alter traffic on the fly. This enables a range of operations, from credential theft and surveillance to covert malware delivery without user interaction.
At the core of DKnife’s threat is its use of MitM attacks. Traffic between a victim and a legitimate service is silently routed through the compromised router controlled by the threat actor. This position allows DKnife operators to replace downloaded files (for example, Android APKs), inject backdoors into Windows environments, steal authentication data and track activity on popular services, including WeChat.
Technical architecture of the DKnife framework on Linux routers
Core packet inspection and traffic manipulation
Analysis by Cisco Talos indicates that DKnife is composed of at least seven interlinked Linux binaries, each assigned to a specific role. The central executable, dknife.bin, performs deep packet inspection (DPI) — parsing network flows, identifying interesting protocols and sessions, and applying the attack logic.
Captured data and processed events are forwarded to attacker infrastructure through a helper component, postapi.bin, which acts as a relay between dknife.bin and command‑and‑control (C2) servers. This separation of roles increases operational flexibility and makes detection more difficult, as C2 communication can be tuned independently of packet processing.
To perform stealth HTTPS interception, DKnife leverages sslmm.bin, a customized reverse proxy based on HAProxy. By inserting this proxy into the traffic path, operators can modify encrypted sessions while preserving service availability and performance, making anomalies less noticeable to users and monitoring systems.
Another critical component, yitiji.bin, creates a virtual TAP network interface on the router, typically with the private IP address 10.3.3.3. This interface allows DKnife to capture and rewrite packets “in transit” at a very low level, effectively embedding itself into the local network segment and routing selected traffic through attacker‑controlled paths.
Supporting modules for persistence, VPN access and malware delivery
Additional binaries extend DKnife’s reach and resilience. The remote.bin module provides a peer‑to‑peer VPN client using the n2n technology, enabling operators to maintain remote access to compromised routers even in restrictive network environments.
The mmdown.bin component focuses on Android malware distribution, handling the download and update of malicious APKs that can be silently injected into intercepted HTTP/HTTPS sessions. Meanwhile, dkupdate.bin manages installation, deployment and upgrades of the DKnife framework itself, helping maintain persistence and consistent configurations across infected devices.
Links to Chinese APT groups, ShadowPad, DarkNimbus and Spellbinder
Code analysis and infrastructure overlaps strongly suggest a Chinese threat actor behind DKnife. Researchers identified strings in Simplified Chinese within component names and comments, and observed that the framework targets popular Chinese webmail providers, mobile applications, media domains and WeChat users, indicating a focus on Chinese‑speaking ecosystems.
DKnife is also used as a delivery mechanism for well‑known backdoors such as ShadowPad and DarkNimbus (also referred to as DarkNights), previously associated with Chinese cybercriminal and APT groups. In several cases, ShadowPad — signed with a certificate issued to a Chinese company — was deployed onto Windows hosts via DKnife, and then used to stage DarkNimbus.
On Android devices, malicious payloads are delivered directly through APK substitution in intercepted downloads. This MitM‑based approach sidesteps app stores and user awareness, aligning with tactics observed in other router‑centric APT campaigns.
Cisco Talos also observed the WizardNet backdoor on the same C2 infrastructure. WizardNet had been previously documented by ESET and linked to the Spellbinder MitM framework. Further, open‑source reporting attributes DarkNimbus development to the Chinese company UPSEC, which multiple studies associate with the APT cluster known as TheWizards, operators of Spellbinder. The overlap in tooling, infrastructure and tactics, techniques and procedures (TTPs) reinforces the hypothesis that DKnife is part of the same or a closely aligned threat ecosystem.
Espionage focus: monitoring WeChat and other popular platforms
Beyond malware deployment, DKnife exhibits extensive capabilities for traffic monitoring and data theft. The framework pays particular attention to WeChat, one of the dominant communication platforms in China.
According to the analysis, DKnife can monitor voice and video calls, text messages, images and in‑app article views within the WeChat ecosystem. Such visibility provides attackers with rich intelligence on personal communications, social graphs and media consumption, which can be leveraged for espionage, profiling and follow‑on operations.
Activity records are first normalized and routed between internal DKnife components, then packaged and exfiltrated via HTTP POST requests to C2 servers. Using common web protocols helps disguise data exfiltration as normal web browsing traffic, complicating detection by traditional network monitoring tools.
Why network infrastructure attacks are growing and how to defend against DKnife
DKnife underscores a broader strategic shift: from attacking individual endpoints to compromising network infrastructure itself. A single compromised router or gateway can silently mediate traffic for hundreds or thousands of users, neutralizing investments in endpoint security, email gateways and web proxies.
To reduce exposure to frameworks like DKnife, organizations should prioritize security hardening of routers, firewalls and VPN gateways. This includes timely firmware updates, rapid patching of disclosed vulnerabilities, and disabling unused remote management services that expand the attack surface.
Administrative access to network devices should be locked down with strong authentication, including multi‑factor authentication (MFA), unique credentials per device, and strict IP‑based access control. Management interfaces must never be openly exposed to the public internet without robust protections.
Equally important is the deployment of network‑centric detection and monitoring. Security teams should employ intrusion detection and network analytics capable of spotting anomalous tunnels, unexpected TAP interfaces, unusual reverse proxies and suspicious outbound C2 traffic. Baseline traffic patterns for critical routers and gateways can help highlight deviations indicative of DKnife‑like activity.
Given DKnife’s association with advanced APT clusters, its ability to hijack traffic for widely used platforms such as WeChat, and the long‑term nature of router compromises, both enterprises and home users should reassess the security of their edge devices. Treating routers and gateways as high‑value assets — patching them, hardening configurations and continuously monitoring their behavior — is now essential to preventing silent, large‑scale man‑in‑the‑middle attacks on modern networks.
