Talos Exposes DKnife: China-Linked Router AitM Framework

Cisco Talos published research this week revealing DKnife, a modular adversary-in-the-middle (AitM) framework built from seven Linux implants that compromise routers and edge devices to intercept, manipulate, and weaponize network traffic. The framework has been operational since at least 2019, and its command-and-control infrastructure was still active as of January 2026.

DKnife goes well beyond simple traffic sniffing. It performs deep packet inspection, hijacks software updates to deliver malware, intercepts TLS connections with self-signed certificates, and actively blocks security product communications—all from a position on compromised gateway hardware where traditional endpoint security has no visibility.

What DKnife Does

The framework consists of seven ELF binaries, each handling a specific function in the attack chain:

• dknife.bin — The core engine performing deep packet inspection, traffic manipulation, and attack logic
• postapi.bin — Relays exfiltrated data to C2 servers via dedicated API endpoints
• sslmm.bin — A modified HAProxy reverse proxy that terminates TLS connections and intercepts encrypted traffic
• mmdown.bin — Downloads and updates malicious Android APKs for mobile targeting
• yitiji.bin — Creates a TAP bridge interface (10.3.3.3) to host malware payloads on an isolated network segment
• remote.bin — An N2N peer-to-peer VPN client for overlay communications
• dkupdate.bin — Watchdog process that keeps the framework updated and running

The name "yitiji" is Pinyin for "all-in-one machine," one of several Chinese-language artifacts throughout the codebase that point to Chinese-speaking developers.

Traffic Hijacking and Malware Delivery

DKnife's most dangerous capability is its ability to silently replace legitimate software downloads with malicious payloads. When a user behind a compromised router downloads a Windows .exe file over HTTP, DKnife intercepts the request and issues an HTTP 302 redirect to a payload hosted on the local bridge interface. The user receives malware instead of the software they requested, with no visible indication that anything went wrong.

The framework uses the same technique against Android devices, intercepting APK manifest requests and injecting malicious download URLs. According to Talos, DKnife delivers ShadowPad and DarkNimbus backdoors through these hijacked downloads—both well-documented tools in the Chinese state-sponsored toolkit.

DNS hijacking rounds out the attack surface. DKnife redirects configured domains to attacker-controlled IPs, including crafted IPv6 responses, to route victims to phishing pages or additional malware delivery infrastructure. The technique echoes what Ink Dragon used against European government networks with ShadowPad, though DKnife operates at the network layer rather than through spear-phishing.

Credential Harvesting and Anti-Analysis

The sslmm.bin component intercepts POP3 and IMAP connections, extracting plaintext credentials from email sessions—particularly targeting Chinese email services. Harvested data gets tagged with metadata and forwarded to remote C2 servers via the postapi.bin relay.

DKnife also actively sabotages security products. It detects and drops network traffic associated with 360 Total Security, Tencent PC Manager, and antivirus update channels. If your security tooling can't phone home for updates, it can't protect against new threats. It's an effective strategy for maintaining persistence on networks where the router itself is the adversary.

The framework's encrypted configuration uses QQ TEA encryption (key: "dianke0123456789") and includes 185 JSON files targeting specific Chinese applications—WeChat, Baidu, JD.com, and Chinese taxi services among them.

Connection to UAT-7290 and WizardNet

Talos identified infrastructure overlap linking DKnife to the WizardNet campaign, a modular backdoor distributed via Spellbinder (an IPv6 SLAAC spoofing framework). A shared server at 43.132.205[.]118 hosted both DKnife-consistent port configurations and WizardNet on port 8881, suggesting shared development or operational lineage.

We covered UAT-7290's espionage operations targeting South Asian telecoms in January, where Talos disclosed the threat actor's modular malware arsenal including RushDrop, DriveSwitch, and SilentRaid. DKnife represents a separate but related capability—gateway-level interception rather than endpoint compromise—and the infrastructure connections suggest these tools may serve the same broader operational mission.

The overlap with ShadowPad deployments also connects DKnife to a wider ecosystem of Chinese state-sponsored activity. ShadowPad has been linked to multiple Chinese APT groups including APT41, and its presence in DKnife-delivered payloads reinforces the assessment that this framework serves intelligence collection objectives.

Indicators of Compromise

C2 infrastructure:

• 47.93.54[.]134 (ports 8003, 8005)
• 117.175.185[.]81 (port 8003)
• 43.132.205[.]118 (WizardNet overlap)

Detection signatures: Cisco released Snort Rule 65533 and ClamAV signatures Win.Trojan.DKnife-10059260-0 and Unix.Trojan.DKnife-10059259-0.

Why This Matters

Router and edge device compromises are among the hardest intrusions to detect. There's no endpoint agent running on most gateway hardware, traffic manipulation happens below the application layer, and the malicious activity blends with legitimate network functions. Organizations that focus exclusively on endpoint and cloud security—which is most of them—have a blind spot exactly where DKnife operates.

For security teams managing network infrastructure, the immediate action is to verify the integrity of edge device firmware and monitor for unexpected processes or network interfaces on gateway hardware. Any device running modified binaries or maintaining connections to the C2 IPs listed above warrants immediate investigation. For deeper background on the techniques nation-state actors use to compromise network infrastructure, our recommended cybersecurity reading covers several campaigns that followed similar patterns.