Threat actors have been using a cyber-espionage toolkit dubbed ‘DKnife’ since at least 2019 to hijack internet traffic at the edge-device level and deliver malware, according to new research from Cisco Talos.
DKnife is a post-compromise framework designed for traffic monitoring and adversary-in-the-middle (AitM) attacks. Installed on compromised network equipment, it intercepts and manipulates traffic destined for endpoint devices such as computers, mobile phones, and IoT systems. Talos researchers describe DKnife as an ELF-based framework composed of seven Linux modules capable of deep packet inspection, traffic manipulation, credential harvesting, and malware delivery.
The malware contains Simplified Chinese language artifacts in component names and code comments and specifically targets Chinese services, including email providers, mobile applications, media platforms, and WeChat users. Talos assesses with high confidence that DKnife is operated by a China-nexus threat actor. While researchers could not determine how the network devices were initially compromised, they observed DKnife delivering and interacting with the ShadowPad and DarkNimbus backdoors, both previously linked to Chinese threat groups.
Once deployed, DKnife creates a bridged TAP interface on infected routers, allowing attackers to intercept and rewrite network packets in transit. This allows its operators to deliver malicious Android APK and Windows binaries, disrupt security-product traffic, conduct DNS hijacking, and exfiltrate data to remote command-and-control servers. Researchers also noted that infrastructure associated with DKnife hosted the WizardNet backdoor, which has been previously linked to the Spellbinder AitM framework discovered by cybersecurity firm ESET in April 2025, suggesting a shared development or operational lineage.