Key Findings

• DKnife is a gateway-monitoring and adversary-in-the-middle (AitM) framework operated by China-nexus threat actors since at least 2019

• It comprises seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery via routers and edge devices

• The framework's primary targets appear to be Chinese-speaking users, based on the presence of credential harvesting phishing pages for Chinese email services and exfiltration modules for popular Chinese mobile apps

• DKnife can hijack binary downloads and Android application updates to deliver the ShadowPad and DarkNimbus backdoors

• The framework is engineered to be run on Linux-based devices and has a modular architecture that enables a wide range of functions, from packet analysis to traffic manipulation

Background

Cybersecurity researchers have taken the wraps off a gateway-monitoring and adversary-in-the-middle (AitM) framework dubbed DKnife that's operated by China-nexus threat actors since at least 2019. The framework comprises seven Linux-based implants that are designed to perform deep packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

Targeting and Connections

The framework's primary targets seem to be Chinese-speaking users, an assessment based on the presence of credential harvesting phishing pages for Chinese email services, exfiltration modules for popular Chinese mobile applications like WeChat, and code references to Chinese media domains.

An analysis of DKnife's infrastructure has also uncovered an IP address hosting WizardNet, a Windows implant deployed by a China-aligned advanced persistent threat (APT) group called TheWizards via an AitM framework referred to as Spellbinder. This suggests a connection between DKnife and WizardNet, as TheWizards is known to target individuals and the gambling sector across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

Functionality of DKnife Components

DKnife is engineered to be run on Linux-based devices and has a modular architecture that enables operators to perform a wide range of functions, including:

• Deep packet inspection

• User activity reporting

• Binary download hijacking

• DNS hijacking

• Credential harvesting from Chinese email providers

• Hosting phishing pages for other services

• Serving updated C2 infrastructure for the DarkNimbus malware

• Hijacking and replacing Android app updates and Windows binary downloads to deliver the ShadowPad backdoor

The core component, "dknife.bin," is responsible for these malicious activities, allowing the operators to conduct traffic monitoring and in-line attacks that replace legitimate downloads with malicious payloads.

Conclusion

DKnife is a sophisticated AitM framework that demonstrates the capabilities of China-linked threat actors in targeting routers and edge devices to hijack traffic, deliver malware, and monitor user activity. The framework's modular design and extensive functionality make it a significant threat, particularly for Chinese-speaking users.

Sources

• https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html

• https://x.com/TheCyberSecHub/status/2019788824864493691

• https://www.cypro.se/2026/02/06/china-linked-dknife-aitm-framework-targets-routers-for-traffic-hijacking-malware-delivery/