Full Report
Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants.
Analysis Summary
# Tool/Technique: DKnife
## Overview
DKnife is a fully featured gateway-monitoring and Adversary-in-the-Middle (AitM) framework consisting of seven Linux-based implants. Its primary purpose is to perform deep-packet inspection, manipulate network traffic, and deliver malware by compromising routers and edge devices.
## Technical Details
- Type: Attack Tool/Framework (Comprising multiple implants)
- Platform: Linux (Implants are Linux-based)
- Capabilities: Gateway monitoring, Adversary-in-the-Middle (AitM) operations, deep-packet inspection, traffic manipulation, delivery of secondary malware (e.g., ShadowPad, DarkNimbus).
- First Seen: At least since 2019 (as per artifact metadata).
## MITRE ATT&CK Mapping
As a network-level interception framework, DKnife heavily leverages network manipulation techniques:
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Implied through traffic manipulation/delivery)
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol (Implied through monitoring/harvesting data)
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses (Potential for subverting security measures on the gateway)
- **TA0001 - Initial Access**
- T1558 - Steal or Forge Credentials (Specifically targets Chinese-language services credentials)
*(Note: Specific technique mappings for AitM frameworks often fall under network manipulation, which can span Command and Control, Lateral Movement, and Initial Access depending on the exact mechanism, such as hijacking official update channels)*
## Functionality
### Core Capabilities
* Deployment of seven distinct Linux-based implants.
* Gateway monitoring and persistent network presence.
* Adversary-in-the-Middle (AitM) operations at the network edge.
* Traffic manipulation to affect communications.
### Advanced Features
* Hijacking binary downloads destined for various devices (PCs, mobile, IoT) to inject malicious payloads.
* Manipulating Android application updates to deliver secondary malware like DarkNimbus.
* Credential harvesting specifically targeting Chinese-language services.
* Exfiltration modules customized for popular Chinese mobile applications.
* Operational linkage or shared lineage with the Spellbinder AitM framework, which uses IPv6 SLAAC spoofing.
## Indicators of Compromise
*Note: File hashes, executable names, and specific network indicators were not fully enumerated in the provided context, but general IoC categories and one C2 example are present.*
- File Hashes: [Not explicitly listed in full]
- File Names: ELF binaries (Linux implants), Archives containing payloads (e.g., `_minibrowser11_rpl.zip` mentioned in relation to WizardNet interactions).
- Registry Keys: [Not applicable, primarily Linux-based]
- Network Indicators: C2 infrastructure active as of January 2026. One example host found linking DKnife to WizardNet operations: `43.132.205[.]118` (Used for delivering WizardNet via port 8881).
- Behavioral Indicators: Hijacking legitimate download/update requests (binary downloads, Android app updates); Serving manipulated network responses (JSON tasking instructions).
## Associated Threat Actors
* China-nexus threat actors (Assessed with high confidence based on code language, configuration files, and delivered ShadowPad malware).
* The framework is operationally/developmentally linked to actors utilizing the **Spellbinder** AitM framework.
## Detection Methods
* **Signature-based Detection (ClamAV):**
* `Win.Trojan.Shadowpad-10010830-1`
* `Win.Loader.WizardNet-10044819-0`
* `Win.Trojan.DarkNimbus-10059255-0`
* `Win.Trojan.DKnife-10059260-0`
* `Unix.Trojan.DKnife-10059259-0`
* **Network Intrusion Detection (Snort):**
* Snort 2 rule: 65533
* Snort 3 rule: 65533
* **Behavioral Detection:** Monitoring for DNS/Web traffic manipulation related to hijacking software updates or credential harvesting targeting Chinese services.
## Mitigation Strategies
* Secure edge devices (routers/gateways) against compromise, as DKnife relies on implanting on these devices.
* Implement Network Intrusion Prevention (NIP) utilizing updated threat intelligence (e.g., Cisco Talos NIP services).
* Monitor outbound web traffic for suspicious URL redirection paths matching patterns observed in DKnife or Spellbinder operations (e.g., IP:Port/app/).
* Harden network configurations to prevent unauthorized SLAAC manipulation if SLAAC spoofing is a suspected vector used by related frameworks like Spellbinder.
* Use strong, multi-factor authentication, especially for services requiring harvesting of Chinese-language credentials.
## Related Tools/Techniques
* **ShadowPad:** Backdoor delivered by DKnife.
* **DarkNimbus:** Backdoor distributed alongside DKnife implants and linked via shared C2 infrastructure.
* **MOONSHINE:** Exploit kit historically used for delivering DarkNimbus.
* **Spellbinder:** An AitM framework known to use IPv6 SLAAC spoofing, sharing TTPs and infrastructure links with DKnife.
* **WizardNet:** Modular backdoor observed hosted on C2 infrastructure also serving DKnife components.