Ethical Hacking News
DKnife, a powerful Linux toolkit discovered by Cisco Talos researchers, has been used to spy on and control network traffic through routers and edge devices since at least 2019. The toolkit delivers malicious payloads and maintains persistence on compromised devices, making it a significant threat to users worldwide. Read more about this sophisticated toolkit and its implications for cybersecurity.
DKnife is a Linux toolkit used by threat actors since at least 2019 to spy on and control network traffic. The toolkit consists of seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. DKnife can hijack software downloads and Android app updates to spread malware, making it a significant threat to users worldwide. The toolkit has been linked to Chinese-speaking users and high-confidence China-nexus threat actors. DKnife continues to be used by threat actors today, with its infrastructure remaining active in January 2026.
DKnife is a sophisticated Linux toolkit that has been used since at least 2019 by threat actors to spy on and control network traffic through routers and edge devices. The toolkit, discovered by Cisco Talos researchers, consists of seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.
According to the report published by Talos, DKnife is a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework that has been used in various cyber-espionage campaigns. The toolkit inspects and alters data in transit, installs malware on PCs, phones, and IoT devices, and monitors users' activities.
The malware components of DKnife include a reverse proxy module, a packet forwarder, and an updater/watchdog component, all designed to work together to deliver malicious payloads and maintain persistence on compromised devices. The toolkit also features a deep-packet inspection capability, allowing it to intercept and manipulate traffic in real-time.
One of the most significant aspects of DKnife is its ability to hijack software downloads and Android app updates to spread ShadowPad and DarkNimbus backdoors. This allows attackers to gain full control over the network edge and deliver malware to unsuspecting users.
DKnife's focus on Chinese-speaking users is also noteworthy, as it has been linked to high-confidence to China-nexus threat actors. The malware collects credentials from Chinese email services, steals data from popular Chinese mobile apps and messaging platforms such as WeChat, and even hijacked Android app updates for Chinese taxi and rideshare apps.
The toolkit's infrastructure remained active in January 2026, indicating that it continues to be used by threat actors today. Researchers have also linked DKnife to WizardNet campaigns, which deliver traffic-hijacking attacks using the same update-hijacking methods, URL paths, and ports as DKnife.
In addition to its technical capabilities, DKnife is also significant because it highlights the evolving nature of cyber-espionage threats. As threat actors become more sophisticated in their tactics and techniques, they are able to use a wide range of tools and frameworks to spy on and control network traffic.
The discovery of DKnife serves as a reminder for organizations and individuals to stay vigilant and take proactive measures to protect themselves against such threats. This includes keeping software up-to-date, using robust security controls, and monitoring network traffic for suspicious activity.
In conclusion, DKnife is a sophisticated Linux toolkit that has been used by threat actors to spy on and control network traffic through routers and edge devices since at least 2019. Its ability to hijack software downloads and Android app updates to spread malware makes it a significant threat to users worldwide.
Related Information:
https://www.ethicalhackingnews.com/articles/DKnife-A-Sophisticated-Linux-Toolkit-Used-to-Spy-on-and-Control-Network-Traffic-Through-Routers-and-Edge-Devices-ehn.shtml
https://securityaffairs.com/187716/malware/dknife-toolkit-abuses-routers-to-spy-and-deliver-malware-since-2019.html
https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/
Published: Sun Feb 8 04:25:26 2026 by llama3.2 3B Q4_K_M
