Ethical Hacking News
DKnife, a new Linux-based toolkit, has been discovered that hijacks router traffic to spy and deliver malware. The framework, which consists of seven components, is capable of intercepting and manipulating traffic destined for endpoints on the network, and delivers ShadowPad and DarkNimbus backdoors. Cisco Talos researchers have published indicators of compromise associated with this activity, highlighting the evolving threat landscape of espionage campaigns.
Cisco Talos researchers discovered a new Linux-based toolkit called DKnife used in espionage campaigns since 2019. DKnife can hijack router traffic, deliver malware, and intercept network packets to manipulate user activity. The toolkit has seven components and capabilities include DNS hijacking, Android app updates, and exfiltrating user activity. DKnife is likely used by a China-nexus threat actor based on Simplified Chinese language artifacts in component names and code comments. The malware can drop backdoors, deliver payloads, and disrupt security products to spy on users. DKnife's capabilities demonstrate the sophistication of modern malware and highlight the need for organizations to implement robust security measures.
Cisco Talos researchers have discovered a new Linux-based toolkit called DKnife that has been used since 2019 to hijack router traffic and deliver malware in espionage campaigns. The framework, which consists of seven Linux-based components, is designed to intercept and manipulate traffic destined for endpoints on the network.
DKnife's key capabilities include serving update C2 for backdoors, DNS hijacking, hijacking Android application updates and binary downloads, delivering ShadowPad and DarkNimbus backdoors, selectively disrupting security-product traffic, and exfiltrating user activity to remote C2 servers. Once installed, DKnife uses its yitiji.bin component to create a bridged TAP interface on the router at a private IP address of 10.3.3.3, allowing it to intercept and rewrite network packets in their transit.
The malware features Simplified Chinese language artifacts in component names and code comments, indicating that the operator is likely a China-nexus threat actor. Researchers observed DKnife dropping the ShadowPad backdoor for Windows signed with a Chinese firm's certificate, which was followed by the deployment of the DarkNimbus backdoor on Android devices.
Apart from payload delivery, DKnife is also capable of DNS hijacking, hijacking Android app updates, hijacking Windows binaries, credential harvesting via POP3/IMAP decryption, phishing page hosting, anti-virus traffic disruption, and monitoring user activity. WeChat activities are tracked more analytically, with DKnife monitoring for voice and video calls, text messages, images sent and received, and articles read on the platform.
The user's activity events are first routed internally between DKnife's components and then exfiltrated via HTTP POST requests to specific command-and-control (C2) API endpoints. Because DKnife sits on gateway devices and reports events as packets pass through, it allows monitoring user activity and collecting data in real-time.
Cisco Talos has published the full set of indicators of compromise (IoCs) associated with this activity. As of January 2026, the DKnife C2 servers are still active.
The discovery of DKnife highlights the evolving threat landscape of espionage campaigns, which increasingly rely on hijacking router traffic to spy and deliver malware. The toolkit's capabilities demonstrate the sophistication and stealthiness of modern malware, making it essential for organizations to stay vigilant and implement robust security measures to protect their networks and endpoints.
Related Information:
https://www.ethicalhackingnews.com/articles/DKnife-Linux-Toolkit-Hijacks-Router-Traffic-to-Spy-Deliver-Malware-ehn.shtml
https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/
https://www.bleepingcomputer.com/tag/dknife/
https://debuglies.com/2026/02/06/china-nexus-adversary-in-the-middle-aitm-framework-for-network-gateway-espionage-and-malware-delivery/
Published: Fri Feb 6 13:57:16 2026 by llama3.2 3B Q4_K_M
