Router-Level Espionage Framework Exposed
Cisco Talos researchers have uncovered DKnife, a sophisticated adversary-in-the-middle (AitM) framework comprising seven Linux-based implants designed to compromise routers and edge devices for deep packet inspection, credential theft, and malware delivery. The framework has been operational since at least 2019 and is attributed to China-nexus threat actors with links to the Earth Minotaur and TheWizards APT clusters.
DKnife represents a growing trend of targeting network infrastructure rather than endpoints. By compromising the router itself, attackers gain a privileged position to intercept, modify, and redirect all traffic passing through the device without touching the victim's machine.
How DKnife Works
Seven-Component Architecture
DKnife is modular by design. Each component handles a specific function in the attack chain:
| Component | Function |
|---|---|
| dknife.bin | Core module: deep packet inspection, DNS hijacking, binary replacement |
| sslmm.bin | HAProxy-based reverse proxy for TLS termination and decryption |
| postapi.bin | Data relay module reporting stolen data to C2 servers |
| mmdown.bin | APK update downloader for replacing legitimate mobile app updates |
| yitiji.bin | Packet forwarder creating bridged TAP interfaces for traffic interception |
| remote.bin | P2P VPN client for covert C2 communication |
| dkupdate.bin | Update and watchdog module ensuring persistence |
Attack Flow
Once deployed on a compromised router, DKnife operates as a transparent man-in-the-middle:
- Traffic interception - The core module performs deep packet inspection on all traffic traversing the router
- Credential harvesting - Decrypts POP3/IMAP email streams to extract login credentials (tagged as "PASSWORD" in internal logs)
- Download replacement - Swaps legitimate software downloads and Android app updates with trojaned versions mid-transit
- DNS hijacking - Redirects both IPv4 and IPv6 DNS queries to attacker-controlled infrastructure
- Malware delivery - Deploys ShadowPad and DarkNimbus backdoors to victim devices via DLL side-loading
What DKnife Monitors
The framework's surveillance capabilities are extensive. Cisco Talos identified monitoring configurations targeting:
- Email credentials from major providers
- WeChat communications and contacts
- E-commerce transactions (including JD.com)
- Banking and financial application traffic
- Video streaming activity
- Messaging, gaming, and dating applications
- Security product communications (360 Total Security, Tencent)
"Routers and edge devices remain prime targets in sophisticated targeted attack campaigns. DKnife's attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things devices." - Cisco Talos
The monitoring of security product communications is particularly concerning, as it allows attackers to understand what defenses are present and potentially subvert update mechanisms.
Attribution and Targets
China-Nexus Indicators
Multiple factors point to Chinese state-sponsored origin:
- Credential harvesting specifically targets Chinese email services
- Exfiltration modules focus on WeChat and Chinese applications
- Code references to Chinese media domains
- Infrastructure overlaps with Earth Minotaur (a known Chinese APT cluster)
- Connection to TheWizards APT group and its WizardNet implant
Geographic Focus
| Region | Target Types |
|---|---|
| Cambodia | Government and civil society |
| Hong Kong | Media and communications |
| Mainland China | Dissident and minority communities |
| Philippines | Government agencies |
| UAE | Business and diplomatic targets |
Defensive Recommendations
For Network Teams
- Audit router and edge device integrity - Compare firmware hashes against vendor-provided checksums to detect unauthorized modifications
- Monitor for anomalous traffic patterns - Look for unexpected TAP interfaces, unusual DNS responses, or TLS certificate mismatches originating from network devices
- Segment router management interfaces - Ensure administrative access to network devices is isolated from general traffic
- Deploy out-of-band monitoring - DKnife operates at the network level, so endpoint tools alone will not detect it
For Security Teams
- Inspect application update chains - Verify that mobile app and software updates arrive from expected sources with valid signatures
- Monitor for ShadowPad and DarkNimbus indicators - Review Cisco Talos IOCs for file hashes, C2 domains, and behavioral patterns
- Review DNS query logs - Identify unexpected DNS redirection that could indicate DKnife's DNS hijacking module
- Evaluate edge device patching cadence - Routers frequently lag behind in patch management, creating the initial foothold
For Organizations in Targeted Regions
- Organizations in Southeast Asia and Chinese-speaking regions should treat this as an active and ongoing threat
- Conduct router-level forensics as part of incident response procedures
- Consider hardware-based network monitoring that operates independently of potentially compromised infrastructure
Sources
- The Hacker News - China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
- Cisco Talos Intelligence Research