Full Report
A newly discovered toolkit called DKnife has been used since 2019 to hijack traffic at the edge-device level and deliver malware in espionage campaigns. [...]
Analysis Summary
# Tool/Technique: DKnife
## Overview
DKnife is a newly discovered toolkit used since 2019 in espionage campaigns. It functions as a post-compromise framework primarily designed to hijack network traffic at the edge-device level (routers/gateways) to perform Adversary-in-the-Middle (AitM) activities, deep packet inspection, traffic manipulation, credential harvesting, and malware delivery.
## Technical Details
- Type: Tool (Post-compromise Framework/Toolkit)
- Platform: Linux (ELF framework running on edge devices/routers)
- Capabilities: Deep Packet Inspection (DPI), traffic manipulation, DNS hijacking, malware delivery (ShadowPad, DarkNimbus), credential harvesting (POP3/IMAP decryption), and real-time user activity monitoring.
- First Seen: 2019
## MITRE ATT&CK Mapping
The described functionality maps primarily to network control and compromise of the gateway/router layer.
- **TA0010 - C2 (Command and Control)**
- **T1071.001 - Application Layer Protocol: Web Protocols** (Used for exfiltration via HTTP POST)
- **TA0008 - Lateral Movement** (Implied, as it controls traffic destined for endpoints, enabling subsequent actions)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Implied by complexity and custom components)
- **TA0011 - Collection**
- **T1005 - Data from Local System** (Harvesting credentials, communication metadata)
- **TA0007 - Discovery**
- **T1049 - System Network Connections Discovery** (Implied by traffic inspection)
- **TA0003 - Persistence** (Delivering backdoors ensures continued access)
## Functionality
### Core Capabilities
DKnife is composed of seven Linux-based components that work together to control network traffic:
1. **Traffic Interception and Manipulation**: Establishing a virtual Ethernet interface (`yitiji.bin` creating a bridged TAP interface at 10.3.3.3) to intercept and rewrite packets passing through the router.
2. **Malware Delivery**: Delivering secondary backdoors like ShadowPad (for Windows, signed with a compromised certificate) and DarkNimbus to endpoints on the LAN.
3. **Command and Control (C2) Functionality**: Components manage communication, relaying information or alterations back to the C2 servers (`dknife.bin`, `postapi.bin`).
4. **DNS Hijacking**: Redirecting DNS requests for malicious purposes.
5. **Credential Harvesting**: Decrypting and gathering credentials from POP3/IMAP traffic.
### Advanced Features
- **Adversary-in-the-Middle (AitM) Operations**: Executing comprehensive traffic monitoring and modification at the network edge.
- **Targeted Monitoring**: Deep monitoring of specific applications, including WeChat (voice/video calls, text, images), Signal, maps, news consumption, ride-hailing, and shopping activities.
- **Exploitation of Update Channels**: Hijacking updates for Android applications (delivering malicious APKs) and Windows binaries.
- **Security Product Disruption**: Selectively disrupting traffic associated with security products.
- **Decoy/Update Infrastructure**: Serving as the update C2 server for backdoors, using `dkupdate.bin` for self-management (download, deploy, update).
- **Encrypted Communication Relay**: Using a custom reverse proxy derived from HAProxy (`sslmm.bin`) and a P2P VPN client (`remote.bin` using n2n VPN software) for communication relay and anonymity.
## Indicators of Compromise
*Note: Specific IoCs (hashes, IPs, domains) were not provided explicitly in the summary text, only references to published IoCs.*
- File Hashes: [Refer to Cisco Talos published IoCs]
- File Names: `dknife.bin`, `postapi.bin`, `sslmm.bin`, `yitiji.bin`, `remote.bin`, `mmdown.bin`, `dkupdate.bin`
- Registry Keys: [Not specified in the context]
- Network Indicators: C2 servers/APIs active as of January 2026. Exfiltration uses HTTP POST requests to specific C2 API endpoints.
- Behavioral Indicators: Creation of a bridged virtual Ethernet interface (TAP) on the compromised router, typically associated with the private IP address **10.3.3.3**.
## Associated Threat Actors
- High confidence assessment points to a **China-nexus threat actor**.
- The toolkit interacts with backdoors associated with Chinese threat actors, specifically **ShadowPad** and **DarkNimbus**.
- The presence of Simplified Chinese language artifacts in component names and code suggests the operator's origin.
## Detection Methods
*Note: Specific signatures or YARA rules are not detailed, but detection should focus on the tool's unique behaviors.*
- Signature-based detection: Looking for the unique ELF components upon file system inspection of edge devices.
- Behavioral detection: Monitoring for unusual bridge/TAP interface creation on routers/gateways, high volumes of unencrypted POP3/IMAP traffic decryption attempts, and modification of application update channels (DNS hijacking affecting app store/update domains).
- YARA rules: Could be developed based on unique strings or code artifacts found within the seven binaries that contain Chinese language elements.
## Mitigation Strategies
- Prevention measures: Securing network edge devices (routers/gateways) against initial compromise, as the entry vector was not determined.
- Hardening recommendations: Strict access control and integrity checking for firmware and operating systems on network infrastructure devices. Implementing network segmentation to limit the blast radius if a gateway is compromised. Monitoring outbound traffic for suspicious HTTP POST requests directed towards command-and-control API endpoints.
## Related Tools/Techniques
- **ShadowPad** (Malware delivered by DKnife)
- **DarkNimbus** (Malware delivered by DKnife)
- **WizardNet backdoor** (Found on the same infrastructure, linked to Spellbinder AitM framework)
- **Spellbinder AitM framework** (Similar AitM focus)
- **n2n VPN software** (Used for P2P connectivity component `remote.bin`)
- **HAProxy** (Base for custom component `sslmm.bin`)