DKnife AitM Framework

Cybersecurity researchers have revealed a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework known as DKnife, attributed to China-nexus threat actors and active since at least 2019. The framework is purpose-built to operate at the network edge, enabling covert traffic inspection, manipulation, and malware delivery through compromised routers and edge devices.

Strategic Targeting of Chinese-Speaking Users

DKnife appears to primarily target Chinese-speaking users. This assessment is supported by multiple indicators, including phishing pages tailored for Chinese email providers, data exfiltration modules focused on widely used Chinese mobile applications such as WeChat, and hard-coded references to Chinese media domains within the source code. Researchers caution, however, that this conclusion is based on configuration files retrieved from a single Command-and-Control (C2) server, leaving open the possibility of parallel infrastructures tailored to other regions.

Ties to Broader China-Aligned Threat Activity

The framework was uncovered during the investigation of a broader Chinese threat cluster tracked as Earth Minotaur, which has been associated with the MOONSHINE exploit kit and the DarkNimbus (also known as DarkNights) backdoor. Notably, DarkNimbus has also been deployed by another China-aligned advanced persistent threat group known as TheWizards.

Infrastructure analysis revealed overlaps between DKnife and WizardNet, a Windows implant used by TheWizards and delivered via an AitM framework called Spellbinder, documented publicly in April 2025. These connections are significant given TheWizards' known targeting of individuals and gambling-related entities across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

A Linux-Focused, Modular Architecture

Unlike WizardNet, DKnife is engineered specifically for Linux-based environments, making it well suited for deployment on routers and edge devices. The framework is delivered via an ELF downloader and uses a modular design that allows operators to selectively enable capabilities ranging from packet forwarding to full traffic interception and manipulation.

DKnife Framework Components

• dknife.bin – The core module responsible for deep packet inspection, user activity monitoring, DNS hijacking, and binary download hijacking
• postapi.bin – A reporting relay that receives harvested data from DKnife and forwards it to remote C2 servers
• sslmm.bin – A modified HAProxy reverse proxy used for TLS termination, email decryption, and URL redirection
• mmdown.bin – An updater that connects to a hard-coded C2 server to retrieve malicious Android APKs
• yitiji.bin – A packet forwarder that creates a bridged TAP interface on the router for attacker-injected LAN traffic
• remote.bin – A peer-to-peer VPN client that establishes communication channels with remote C2 infrastructure
• dkupdate.bin – An updater and watchdog module that ensures the persistence and availability of all components

Credential Harvesting Through Inline Decryption

DKnife includes dedicated functionality for credential theft, particularly targeting a major Chinese email provider. The sslmm.bin module presents attacker-controlled TLS certificates to clients, terminates and decrypts POP3 and IMAP connections, and inspects the resulting plaintext traffic to extract usernames and passwords. Harvested credentials are labeled accordingly, passed to postapi.bin, and relayed to remote C2 servers for collection and analysis.

Deep Packet Inspection as an Attack Enabler

At the heart of the framework lies dknife.bin, which enables extensive deep packet inspection and real-time traffic analysis. This capability allows operators to transition seamlessly between passive monitoring and active in-line attacks, including the replacement of legitimate software downloads with malicious payloads.

Key Operational Capabilities

• Distribution of updated C2 configurations to Android and Windows variants of the DarkNimbus malware
• DNS-based hijacking over both IPv4 and IPv6 to redirect traffic associated with JD.com-related domains
• Interception and replacement of Android application updates for Chinese news, streaming media, image editing, e-commerce, ride-hailing, gaming, and adult video platforms
• Hijacking of Windows and other binary downloads to deliver the ShadowPad backdoor via DLL side-loading, subsequently loading DarkNimbus
• Disruption of communications from antivirus and system-management software, including products from 360 and Tencent
• Real-time monitoring of user behavior, categorized across activities such as messaging, voice and video calls, shopping, news consumption, map searches, streaming, gaming, dating, ride-sharing, and email usage

Implications for Network Edge Security

Routers and edge devices continue to represent high-value targets in advanced, targeted intrusion campaigns. As threat actors increasingly focus on this layer of infrastructure, visibility into the tools and techniques they employ becomes essential. The exposure of the DKnife framework underscores the maturity of modern AitM threats, which combine deep packet inspection, traffic manipulation, and tailored malware delivery to compromise a wide array of device types at scale.