A previously undocumented China-linked adversary-in-the-middle (AitM) framework known as “DKnife” has been identified operating at network gateways, where it intercepts and manipulates in-transit traffic.
According to Cisco Talos’ findings, the framework has been active since at least 2019 and remains operational as of early 2026. Rather than targeting endpoints directly, DKnife is deployed at the network edge, giving operators visibility into and control over the traffic passing through compromised devices.
Talos researchers described it as a modular Linux-based system capable of deep packet inspection, credential interception, and malicious content injection.
“DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things devices,” they said in a blog post. “It delivers and interacts with ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.”
Traffic hijacking and malware delivery
The researchers found DKnife having seven Linux ELF components that work together to monitor and manipulate network traffic in real time. Once deployed on a gateway or similar edge device, the framework can inspect unencrypted and decrypted traffic flows to selectively modify responses before they reach their intended destination.
“The seven implants in DKnife serve the purpose of DPI engine, data reporting, reverse proxy for AitM attack, malicious APK download, framework update, traffic forwarding, and building a P2P communication channel with the remote C2,” the researchers said.
The framework was observed being used to redirect legitimate software update requests to attacker-controlled servers, enabling the delivery of secondary payloads posing as trusted updates. This allowed attackers to compromise downstream systems without needing direct access to the endpoints themselves, the researchers noted.
Beyond update hijacking, the framework supports DNS manipulation, binary replacement, and selective traffic forwarding, giving attackers control over how specific requests are handled.
Indicators point to China-Nexus development and targeting
Several aspects of DKnife’s design and operation suggested ties to China-aligned threat actors. Talos identified configuration data and code comments written in Simplified Chinese, as well as handling logic tailored for Chinese-language email providers and mobile applications.
The framework was also found to enable credential collection from services used within China, indicating specific targeting. Talos confirmed linking DKnife’s operations to the delivery of malware families previously associated with China-nexus activity, further reinforcing attribution.
“Based on the language used in the code, configuration files, and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” the researchers said without naming any specific threat group.
Shared lineage and detection sabotage
Talos investigation also revealed technical overlaps between DKnife and earlier AitM frameworks used in past campaigns.
“We discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework, Spellbinder, suggesting a shared development or operational lineage,” the researchers said.
Talos said DKnife includes a traffic inspection module that actively interferes with antivirus and PC-management communications. The module identifies 360 Total Security traffic by inspecting specific HTTP headers, such as DPUname and x-360-ver, and by matching known service domains. When a match is detected, the framework disrupts the connection using crafted TCP reset packets.
Similar behavior targeting Tencent services and other PC management endpoints was also observed, indicating deliberate efforts to weaken security tooling. To strengthen detection, Talos shared a list of indicators of compromise (IoCs), including file hashes, network artifacts, and command and control (c2) infrastructure associated with DKnife. Additionally, the disclosure shared a set of ClamAV signatures for detecting and blocking the threat.