Ethical Hacking News
A recent discovery has shed light on an advanced AitM framework known as DKnife, which has been operated by China-nexus threat actors since at least 2019. This Linux-based framework compromises routers and edge devices for the purpose of deep packet inspection, traffic manipulation, and malware delivery, with primary targets being Chinese-speaking users. The discovery highlights the advanced capabilities of modern AitM threats and underscores the need for continued vigilance in cybersecurity monitoring and analysis.
DKnife is an advanced adversary-in-the-middle (AitM) framework used by China-nexus threat actors since at least 2019. The framework compromises routers and edge devices for deep packet inspection, traffic manipulation, and malware delivery. DKnife has a modular architecture consisting of seven distinct components with specific functions. The primary targets of DKnife are Chinese-speaking users, including phishing pages and mobile applications like WeChat. The framework can perform deep packet inspection and traffic manipulation to deliver malware via routers and edge devices. DKnife features an ELF downloader for delivering components to Linux-based devices and a modular architecture allowing flexibility in functions. The discovery of DKnife highlights the advanced capabilities of modern AitM threats and potential connections with other threat actors like TheWizards.
In a recent discovery, cybersecurity researchers have shed light on an advanced adversary-in-the-middle (AitM) framework known as DKnife. This Linux-based framework, which has been operated by China-nexus threat actors since at least 2019, has been found to compromise routers and edge devices for the purpose of deep packet inspection, traffic manipulation, and malware delivery.
At its core, DKnife is a modular framework consisting of seven distinct components, each designed to perform a specific function within the overall architecture. The framework's primary targets seem to be Chinese-speaking users, with evidence pointing towards credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains.
The functionality of DKnife is primarily centered around its ability to perform deep packet inspection, allowing operators to monitor user activity in real-time. This capability is bolstered by the framework's capacity for traffic manipulation, which enables operators to hijack binary downloads and Android application updates for the purpose of delivering malware via routers and edge devices.
In addition to these capabilities, DKnife also features an ELF downloader that delivers the framework's components to Linux-based devices. The modular architecture of the framework allows operators to serve a wide range of functions, ranging from packet analysis to traffic manipulation. This flexibility is significant in light of the potential for DKnife to be used as part of more sophisticated targeted attack campaigns.
The discovery of DKnife highlights the advanced capabilities of modern AitM threats, which blend deep-pocket inspection, traffic manipulation, and customized malware delivery across a wide range of device types. The threat actors behind this framework are known to target Chinese-speaking users, with evidence pointing towards the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains.
Furthermore, an analysis of DKnife's infrastructure has uncovered an IP address hosting WizardNet, a Windows implant deployed by TheWizards via an AitM framework referred to as Spellbinder. This connection highlights the potential for DKnife to be used in conjunction with other threat actors, such as TheWizards, who are known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.
The targeting of Chinese-speaking users by DKnife is significant in light of infrastructural connections between the framework and WizardNet. This connection raises the possibility that there could be other servers hosting similar configurations for different regional targeting, which would further amplify the threat landscape presented by this AitM framework.
In conclusion, the discovery of DKnife highlights the advanced capabilities of modern AitM threats, which blend deep-pocket inspection, traffic manipulation, and customized malware delivery across a wide range of device types. As threat actors continue to evolve their tactics, techniques, and procedures (TTPs), it is essential for cybersecurity professionals to remain vigilant in their monitoring and analysis of potential threats.
Related Information:
https://www.ethicalhackingnews.com/articles/AitM-Framework-DKnife-Targets-Routers-for-Traffic-Hijacking-and-Malware-Delivery-ehn.shtml
https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html
https://www.securityweek.com/dknife-implant-used-by-chinese-threat-actor-for-adversary-in-the-middle-attacks/
https://securityaffairs.com/187570/apt/notepad-infrastructure-hack-likely-tied-to-china-nexus-apt-lotus-blossom.html
https://cybersecuritynews.com/new-chinese-nexus-apt-hackers-attacking-organizations/
https://cybersecsentinel.com/thewizards-apt-exploits-ipv6-to-hijack-updates-and-deploy-dual-platform-malware/
https://thehackernews.com/2025/04/chinese-hackers-abuse-ipv6-slaac-for.html
https://www.welivesecurity.com/en/eset-research/thewizards-apt-group-slaac-spoofing-adversary-in-the-middle-attacks/
https://www.eset.com/ca/about/newsroom/press-releases/eset-research-analyzes-tools-from-the-china-aligned-thewizards-group-with-targets-across-asia-and-the-middle-east-1/
https://www.securityweek.com/chinese-apts-adversary-in-the-middle-tool-dissected/
Published: Fri Feb 6 09:13:38 2026 by llama3.2 3B Q4_K_M
