Knife Cutting Targets Routers Disclosing China-nexus

DKnife Framework – Key Findings

Overview

• Name: DKnife
• Type: Gateway-monitoring & Adversary-in-the-Middle (AitM) framework
• Active Since: 2019
• Components: Seven Linux-based implants
• Delivery Vector: Routers and edge devices

 

Capabilities

• Deep-packet inspection – monitors and manipulates traffic at the packet level.
• Traffic manipulation – alters communications between endpoints.
• Malware delivery – deploys backdoors like ShadowPad and DarkNimbus.
• DNS hijacking – redirects traffic to malicious infrastructure.
• Android app update hijacking – injects malicious payloads during updates.
• Windows binary hijacking – compromises executables to gain persistence.
• Anti-virus traffic disruption – interferes with security tools.
• User activity monitoring – tracks victim behavior across devices.

 

Target Profile

• Devices: PCs, mobile devices, IoT endpoints.
• Victim Base: Primarily Chinese-speaking users.
• Attribution: Evidence points to China-nexus threat actors.

 

 Campaign Linkage

• Researchers found ties between DKnife and the WizardNet campaign, suggesting shared development or operational lineage.

 

Implications

• Enterprise Risk: Compromise of routers/edge devices means attackers can control traffic flows across entire networks.
• Stealth: AitM techniques make detection difficult, as malicious activity blends with legitimate traffic.
• Supply Chain Threat: Hijacking updates (Android apps, Windows binaries) highlights risks in software distribution channels.

 

Defensive Measures

• Firmware & OS patching on routers and edge devices.
• Network segmentation to limit lateral movement.
• DNS monitoring for hijack attempts.
• Update validation (cryptographic signatures, integrity checks).
• Threat intelligence feeds to track ShadowPad/DarkNimbus infrastructure.

 

This case underscores how edge devices are becoming prime targets for advanced frameworks like DKnife, which blend surveillance, manipulation, and malware delivery into one toolkit.

Would you like me to create a visual attack chain diagram showing how DKnife moves from router compromise → traffic manipulation → malware delivery → data exfiltration? That could make the flow of the campaign easier to grasp at a glance.

This case underscores how edge devices are becoming prime targets for advanced frameworks like DKnife, which blend surveillance, manipulation, and malware delivery into one toolkit.

How to Read It

1. Router Compromise → Initial foothold on edge devices.
2. Traffic Manipulation → Deep-packet inspection & adversary-in-the-middle control.
3. Malware Delivery → Deployment of ShadowPad & DarkNimbus backdoors.
4. Data Exfiltration → DNS hijacking, update hijacking, user activity monitoring.

 

Hash

c0a25786959eae643c1189b8b0ee549d
62d929e7b7e7b6165923a5dfc60cb56
cd09f8f7ea3b57d5eb6f3f16af445454
13dda1896509d5a27bce1e2b26fef51707c19503
17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06
2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444
43891d3898a54a132d198be47a44a8d4856201fa7a87f3f850432ba9e038893a
c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854

IP

117.175.185.81
47.93.54.134
240e:a03:a03:303:a03:303:a03:303

 

URL

http://117.175.185.81:8003/
http://43.132.205.118:81/app/minibrowser11_rpl.zip
http://47.93.54.134:8005
http://47.93.54.134:8005/
https://47.93.54.134:8003

 

SSL Certificate Finger Print

78:47:e0:0e:9c:0a:60:80:a6:48:ce:97:7f:30:63:7e:8a:d5:22:97:ea:10:8e:5f:cb:e9:87:48:49:bc:a5:47
80:bc:19:8b:a9:e9:0e:62:50:4b:21:ec:69:2f:87:30:3b:7d:75:e7:a8:95:06:d3:0b:fa:52:18:57:23:3d:72

Follow Us On – X.com, Telegram, LinkedIN, Discord Server,

 

For The Latest Updates, Vulnerability Insights, Security News, Cyberattack Scoops And Cybersecurity Best Practices Delivered Straight To Your Inbox – Subscribe To Our Newsletter