DarkNimbus

DarkNimbus is a backdoor malware family, also referred to in the content as DarkNights, associated with China-nexus activity. Cisco Talos linked it to the Earth Minotaur threat cluster and reported that it has been tracked since 2023 in connection with mobile exploit delivery. The malware is also described as having been used by the APT group TheWizards, and one report states it was developed by Earth Minotaur.

The content describes DarkNimbus as an Android-and-Windows backdoor delivered through adversary-in-the-middle traffic hijacking operations. In Cisco Talos reporting, the DKnife framework—an AitM toolkit deployed on compromised routers and edge devices since at least 2019—was used to hijack binary downloads and Android application updates to deliver DarkNimbus, often alongside ShadowPad. On Windows, Talos observed a legitimate or signed loader side-loading a ShadowPad DLL, after which ShadowPad loaded DarkNimbus. On Android, DarkNimbus was delivered directly by DKnife through hijacked app updates. DKnife also supported DarkNimbus operations by intercepting DNS requests and rerouting them to the real command-and-control infrastructure so the backdoor could communicate successfully.

DarkNimbus appears in broader China-aligned intrusion ecosystems involving WizardNet and the Spellbinder traffic-hijacking framework. Infrastructure overlap and reporting cited in the content connect DKnife, WizardNet, TheWizards, and Earth Minotaur. Targeting described in the content is focused primarily on Chinese-speaking users, with related activity and linked campaigns affecting sectors and regions including the gambling industry and victims in the Philippines, Cambodia, Hong Kong, Mainland China, the United Arab Emirates, and a Philippine educational institution. The content does not provide standalone DarkNimbus-specific IOCs, but high-confidence associated artifacts include its use with DKnife, ShadowPad, MOONSHINE, WizardNet, and Earth Minotaur-linked infrastructure.