DKnife is an advanced adversary-in-the-middle (AitM) framework operated by China-linked threat actors since at least 2019, targeting Linux-based routers and edge devices to facilitate traffic hijacking, malware delivery, and credential harvesting. The framework consists of seven modular Linux implants, each serving specialized functions: dknife.bin performs deep packet inspection, DNS hijacking, and binary download hijacking; postapi.bin relays harvested data; sslmm.bin acts as a TLS-terminating reverse proxy to decrypt email protocols and extract credentials; mmdown.bin updates malicious APKs; yitiji.bin forwards packets via a bridged TAP interface; remote.bin establishes a P2P VPN channel to C2 servers; and dkupdate.bin maintains component persistence. DKnife primarily targets Chinese-speaking users, evidenced by phishing pages for Chinese email providers, exfiltration modules for apps like WeChat, and references to Chinese media domains. It delivers and interacts with ShadowPad and DarkNimbus backdoors by hijacking legitimate binary and Android app updates, enabling stealthy malware deployment. The framework also interferes with antivirus and PC management software communications, complicating detection. DKnife was discovered during monitoring of the Earth Minotaur cluster and shows infrastructural links to the WizardNet implant used by another China-aligned APT group, TheWizards. The modular design allows covert monitoring of user activities across messaging, shopping, news, gaming, and more, with real-time reporting to C2 servers. The framework’s ability to hijack DNS requests and manipulate traffic at the router level enables attackers to redirect users to malicious sites and replace legitimate downloads with malware payloads. This combination of deep packet inspection, traffic manipulation, and modular malware delivery represents a significant evolution in AitM threats targeting network infrastructure devices.

For European organizations, DKnife poses a substantial risk to network infrastructure security, particularly for enterprises relying on Linux-based routers and edge devices that may be vulnerable or insufficiently hardened. The framework’s capability to perform deep packet inspection and manipulate traffic enables attackers to conduct espionage by harvesting credentials, intercepting sensitive communications, and exfiltrating data stealthily. The hijacking of software updates and binary downloads threatens supply chain integrity, potentially leading to widespread malware deployment within corporate networks. Organizations with business ties to Chinese markets or Chinese-speaking users are at elevated risk due to the framework’s targeting profile. The interference with antivirus and endpoint management communications further complicates detection and response efforts, increasing dwell time and potential damage. Critical sectors such as telecommunications, finance, and government agencies could face data breaches, operational disruption, and reputational damage. Additionally, the framework’s modular and persistent design allows attackers to maintain long-term access, facilitating advanced persistent threat (APT) campaigns and enabling lateral movement within networks. The covert monitoring of user activities across multiple categories also raises privacy concerns and regulatory compliance risks under GDPR and other European data protection laws.

European organizations should implement a multi-layered defense strategy tailored to mitigate DKnife’s sophisticated capabilities. First, conduct comprehensive audits of network infrastructure devices, focusing on Linux-based routers and edge devices, to identify and remediate unauthorized implants or suspicious modifications. Enforce strict firmware integrity verification and apply vendor-supplied security patches promptly. Deploy network segmentation to isolate critical systems and limit lateral movement opportunities. Utilize advanced network traffic analysis tools capable of detecting anomalies consistent with deep packet inspection and traffic manipulation, such as unexpected TLS termination or DNS hijacking behaviors. Implement strict controls on software update mechanisms, including cryptographic verification of binaries and APKs, to prevent hijacking. Monitor outbound connections for unusual peer-to-peer VPN traffic or communication with known or suspicious C2 servers. Enhance endpoint detection and response (EDR) capabilities to identify interference attempts with antivirus or management tools. Employ threat intelligence feeds to stay informed about emerging indicators of compromise related to DKnife and associated APT groups. Finally, conduct user awareness training emphasizing phishing risks, especially for users interacting with Chinese-language services, to reduce credential harvesting success.