Key Findings

• DKnife is a Linux-based toolkit used since 2019 to hijack router traffic and deliver malware in cyber-espionage attacks

• The toolkit is designed for deep packet inspection, traffic manipulation, credential harvesting, and malware delivery

• DKnife has been linked to China-nexus threat actors with high confidence

• The toolkit targets Chinese-speaking users, stealing credentials from Chinese services and popular Chinese apps

• DKnife hijacks software downloads and Android app updates to spread malware like ShadowPad and DarkNimbus backdoors

Background

Cisco Talos researchers uncovered the DKnife toolkit, which has been used since at least 2019 to monitor and control network traffic through routers and edge devices. The framework consists of seven Linux-based components designed for deep packet inspection, traffic manipulation, credential harvesting, and malware delivery.

Talos linked DKnife to China-nexus threat actors with high confidence based on various artifacts, including Simplified Chinese language references, targeting of Chinese services and apps, and associations with other China-linked tools like WizardNet.

Capabilities

• Hijacks DNS, intercepts Android and Windows updates, and replaces legitimate downloads with malware

• Delivers ShadowPad and DarkNimbus backdoors to compromised systems

• Weakens security defenses by disrupting antivirus and PC management tools

• Closely monitors user activity, including messaging, shopping, news consumption, and ride-hailing

• Steals credentials by intercepting encrypted email connections and hosting phishing pages

• May also target IoT devices, though evidence is limited

Targeting and Delivery

• DKnife primarily targets Chinese-speaking users, stealing credentials from Chinese email services and popular Chinese apps like WeChat

• The toolkit hijacks software downloads and Android app updates to spread its malware payloads

• Researchers found signs that DKnife may have a wider regional scope beyond just China, based on links to the WizardNet backdoor

Infrastructure and Persistence

• DKnife's command-and-control servers remained active as of January 2026, suggesting ongoing operations

• The framework uses techniques and certificates linked to China-nexus threat actors

• DKnife's modular design allows it to persist on compromised networks, with components like the "yitiji" module creating a virtual network interface to intercept traffic

Sources

• https://securityaffairs.com/187716/malware/dknife-toolkit-abuses-routers-to-spy-and-deliver-malware-since-2019.html

• https://www.bleepingcomputer.com/news/security/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware/

• https://www.reddit.com/r/technews/comments/1qxvgk2/dknife_linux_toolkit_has_been_used_since_2019_to/