DKnife
DKnife is a modular Linux-based gateway-monitoring and adversary-in-the-middle (AitM) malware framework used by China-nexus threat actors since at least 2019. Cisco Talos reported it comprises seven Linux ELF implants designed to compromise routers and edge devices, persist on gateway hardware, and inspect, manipulate, and exfiltrate traffic transiting the device. Reported components include dknife.bin (core deep-packet inspection and attack logic), postapi.bin (data/C2 relay), sslmm.bin (reverse proxy/TLS interception), mmdown.bin (malicious Android APK delivery), yitiji.bin (bridged TAP/LAN traffic injection), remote.bin (P2P VPN remote access), and dkupdate.bin (updater/watchdog).
High-confidence capabilities described in the source material include deep packet inspection, DNS hijacking, traffic manipulation, reverse proxying, credential harvesting, phishing support, packet forwarding, data reporting, and malware delivery to downstream endpoints. DKnife can hijack Windows binary downloads and Android application updates, replacing legitimate content with malicious payloads, and has been used to deliver the ShadowPad and DarkNimbus backdoors. It can also intercept POP3/IMAP traffic via sslmm.bin to extract email credentials, host phishing pages for Chinese email services, exfiltrate data from Chinese applications such as WeChat and QQ, monitor activity including WeChat and Signal usage, and disrupt traffic from security products such as 360 Total Security and Tencent PC Manager, including via crafted TCP reset behavior.
The framework primarily appears to target Chinese-speaking users, based on observed phishing pages, exfiltration modules for Chinese apps, code/configuration references to Chinese services and media domains, and Simplified Chinese comments and labels in artifacts. Talos assessed with high confidence that DKnife is operated by China-nexus actors, and linked the activity to infrastructure and tooling associated with Earth Minotaur, WizardNet, the Spellbinder AitM framework, MOONSHINE, and DarkNimbus. Related activity and infrastructure were noted in connection with the Philippines, Cambodia, and the United Arab Emirates, though Talos noted some targeting conclusions were based on configuration from a single C2 server.
The malware targets Linux-based routers and edge devices, including CentOS/RHEL-like environments, and can place any downstream device at risk, including Windows systems, Android devices, and potentially IoT devices behind the compromised gateway. Reported persistence and host artifacts include storage under /dksoft/update/, modification of /etc/rc.local, a bridged TAP interface at 10.3.3.3, and use of self-signed certificates associated in reporting with Sichuan Qiyu Network Technology. Reported hardcoded C2 endpoints include 47.93.54[.]134:8005 and 43.132.205[.]118:81. Talos stated DKnife command-and-control infrastructure remained active as of January 2026.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework known as DKnife has been identified, operated by China-nexus threat actors since at least 2019.
A sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework known as DKnife has been identified, operated by China-nexus threat actors since at least 2019.
"China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery" ... "dubbed DKnife" ... "comprises seven Linux-based implants" designed to "perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices."
"The DKnife Linux toolkit represents a significant escalation in adversary-in-the-middle (AitM) threats targeting network infrastructure... engineered to compromise Linux-based routers and edge devices, enabling attackers to intercept, manipulate, and exfiltrate network traffic at the gateway level."
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
6 techniques"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."
"The exploitation lifecycle typically begins with the compromise of a Linux-based router or edge device, either via exploitation of public-facing services (MITRE ATT&CK T1190)..."
"...hijacking binary downloads and Android application updates." / "Hijacking and replacing Android application updates... by intercepting their update manifest requests"
DKnife hijacks software downloads and Android app updates... It redirects update requests to a local malicious server and replaces legitimate downloads with malware.
"DKnife toolkit abuses routers to spy and deliver malware since 2019"
"DKnife can harvest credentials from a major Chinese email provider and host phishing pages for other services"
Execution
1 techniquePersistence
3 techniques"Abuse of startup services (e.g., init scripts, cron-like schedulers)"
"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."
Privilege Escalation
3 techniques"Abuse of startup services (e.g., init scripts, cron-like schedulers)"
"...begins with the compromise of a Linux-based router or edge device, either via... credential reuse (T1078)..."
Stealth
2 techniquesThe tool loads encrypted hijacking rules, decrypts them with a QQ TEA–based key, and deletes them after use.
Defense Impairment
1 technique"Configuration hijacking (NVRAM or equivalent)"
Credential Access
4 techniques"...terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords."
The malware also steals credentials by intercepting encrypted email connections and hosting phishing pages.
“The toolkit… steals credentials from Chinese services”
Discovery
1 techniqueCollection
2 techniquesCommand and Control
6 techniques"Encrypted communications over HTTP(S) or DNS-like patterns"
"Encrypted communications over HTTP(S) or DNS-like patterns"
"sslmm.bin - A reverse proxy module modified from HAProxy that performs TLS termination..."
"Deploy additional payloads against downstream hosts"
remote.bin – P2P VPN client Builds a peer-to-peer communication tunnel to the remote C2 using a customized N2N VPN.
Exfiltration
1 technique“…exfiltrate data from popular apps like WeChat and QQ.”
Impact
1 technique"...can perform DNS hijacking for malicious redirects."
Other
1 techniqueRecent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DKnife toolkit abuses routers to spy and deliver malware since 2019
Gateway-monitoring/AitM framework comprising multiple Linux-based implants for deep packet inspection, traffic manipulation, and malware delivery via routers/edge devices.
A China-nexus gateway-monitoring/AitM framework composed of seven Linux implants that perform deep-packet inspection, manipulate network traffic, and can deliver malware via routers and edge devices.
Linux-based modular AitM/gateway-monitoring framework deployed on routers/edge devices to perform deep packet inspection, manipulate network traffic, harvest credentials (e.g., by decrypting POP3/IMAP), conduct DNS hijacking/redirection, and hijack downloads/updates to deliver additional malware.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.