Despite adversaries increasing their focus on the network edge, recent findings suggest a sustained and deliberate effort to weaponize routing infrastructure itself for surveillance and delivery purposes. An attacker can observe, modify, and selectively redirect data streams in transit by embedding malicious logic directly into traffic paths rather than relying on endpoint compromise.
This evolution is reflected in the development of the DKnife framework, which has transformed attacker-in-the-middle capabilities into modular, long-lived platforms that are designed to be persistent, stealthy, and operationally flexible.
Through the framework's ability to operate at a level where legitimate traffic aggregation and inspection already take place, the line between benign network functionality and hostile control is blurred, enabling malware deployment and long-term monitoring across a variety of device classes and user environments targeted at targeted users.
According to cybersecurity researchers, DKnife is an adversary-in-the-middle framework that has operated from at least 2019 to maintain router-centric infrastructure by threat actors who have been found to be linked to China.
In order to enable deep packet inspection, selective traffic manipulation, and covert delivery of malicious payloads, seven Linux-based implants are installed on gateways and edge devices.
Several code artifacts and telemetry indicate a clear focus on Chinese-speaking users, including credential-harvesting components tailored specifically for Chinese email services, data exfiltration modules specifically targeted at popular mobile applications, and hard-coded references to domestic media domains buried within the implants.
It is argued that DKnife's potential strategic value lies in its ability to act as a conduit between legitimate update and download channels and users.
As the framework intercepts binary transfers and mobile application updates in transit, it is possible to deploy and manage established backdoors across a broad range of endpoints ranging from desktop systems to mobile devices to Internet of Things environments, including ShadowPad and DarkNimbus.
According to Cisco Talos, the activity has been associated with the ongoing tracking of a Chinese threat cluster dubbed Earth Minotaur, previously associated with exploit kits like MOONSHINE as well as backdoors like DarkNimbus.
The reuse of DarkNimbus is noteworthy, as the malware has also been found in operations attributed to another Chinese advanced persistent threat group, The Wizards, indicating the possibility of sharing tools or infrastructure among these groups.
Upon further analysis of the infrastructure, it was revealed that DKnife-associated resources overlapped with those connected to WizardNet, a Windows implant deployed by TheWizards through an AitM framework called Spellbinder, which was publicized in 2025. This led to additional connections between DKnife-associated systems and WizardNet resources.
As Cisco cautions, current insights into DKnife's targeting may be incomplete due to the fact that the configuration data obtained from a single command-and-control server provide limited information about its target market of Chinese-speaking users. It is possible that parallel servers exist to support operations in other regions as well.
Due to The Wizards' history of targeting individuals and gambling-related entities across Southeast Asia, Greater China, and the Middle East, the convergence of infrastructure and tactics is significant, highlighting the wider implications of DKnife as a traffic hijacking platform with reusable, regionally adaptable features.
Although researchers have not determined the exact vector used to compromise network equipment, researchers have established that DKnife functions to deliver and control backdoors known as ShadowPad and DarkNimbus, both of which have been used by Chinese-allied threat actors for decades.
A technical analysis reveals that there are seven discrete modules in the framework.
Each module is designed to support a particular operational role, such as traffic inspection, manipulation, and control-and-control messages, as well as origin obfuscation.
In addition to packet inspection and attack logic, the system includes relay services to facilitate communication with remote C2 servers as well as a customized reverse proxy derived from HAProxy to mask and manage malicious traffic flows.
Additionally, DKnife extends its capabilities beyond passive monitoring with additional modules.
An attacker is able to establish a virtual Ethernet TAP interface on the compromised router and connect it directly to the local network, effectively placing themselves in the data path of internal communications.
In addition, there are third parties who provide peer-to-peer VPN connectivity using modified n2n software, coordinate the download and update of malicious Android applications, and manage the deployment of the DKnife implants themselves.
Together, these elements provide a range of tools for a wide range of activities, including DNS hijacking, intercepting legitimate binary and application updates, selectively disrupting security-related traffic, and exfiltrating detailed user activity to external command infrastructures.
In addition to intercepting and rewriting packets destined for their original hosts once activated on a device, DKnife also uses its network-bridging capabilities to substitute malicious payloads during transit transparently.
Through this technique, weaponized APK files can be delivered to Android devices as well as compromised binaries to Windows systems connected to the affected network using this technique.
Research conducted by Cisco Talos demonstrated instances in which the framework first installed ShadowPad backdoors for Windows, signed by Chinese certificates, followed by the installation of DarkNimbus backdoors to establish long-term access.
Unlike secondary droppers, DarkNimbus was delivered directly to Android environments through the manipulated update channel.
It was further revealed by investigators that infrastructure was associated with a framework hosting the WizardNet backdoor, a Windows implant previously associated with Spellbinder AitM. This confirmed the link between DKnife and previously documented adversary-in-the-middle attacks.
Incorporating these tools within the same operational environment implies that development resources will likely be shared or infrastructure will be coordinated. As a result, threat actors are becoming increasingly sophisticated in their use of compromised network devices as covert malware distribution channels as opposed to utilizing endpoints to spread malware.
The Cisco Talos team further concluded that DKnife is capable of intercepting Windows binary downloads in addition to mobile ecosystems. As observed, the framework was capable of manipulating download URLs in transit, either substituting legitimate installers for trojanized counterparts or redirecting users to malicious distribution points controlled by the attackers.
In combination with its DNS manipulation capabilities and control over application update channels, DKnife provides an extensive traffic-hijacking platform that can silently deliver malware while maintaining the appearance of normal network behavior.
The framework's components work together to create a continuous attack system at the network gateway that functions in conjunction with each other.
Moreover, DKnife offers a broad range of secondary functionality in addition to payload delivery, such as credential harvesting through decrypted POP3 and IMAP sessions, hosting phishing pages, selectively disrupting antivirus and security product traffic, and detailed user activity monitoring.
Several applications and services were observed to collect telemetry, including messaging platforms, navigation tools, news consumption, telephony, ridesharing, and online shopping, by researchers. In particular, WeChat was observed to receive significant attention, with the framework tracking voice and video calls, message content, media exchanges, and articles accessed through the application.
The placement of DKnife on gateway devices permits near real-time visibility into user behavior.
Activity events are processed internally across the framework's modular components first before being exfiltrated via structured HTTP POST requests to dedicated API endpoints and then forwarded to remote command-and-control infrastructure.
A significant reduction in the need for persistent malware on individual endpoints is achieved through this architecture, which allows attackers to correlate traffic flows and user actions as packets traverse the network. Researchers note that this approach reflects a greater trend towards infrastructure-level compromise, which is the use of routers and edge devices as persistent delivery platforms for malware.
According to Cisco Talos, DKnife-associated command-and-control servers remain active as of January 2026, highlighting the continued nature of this threat. An exhaustive set of indicators of compromise has been developed by the firm to assist defenders in identifying compromised systems, as well as emphasizing the need to pay increased attention to network infrastructure as adversaries continue to utilize its unique position within modern digital environments to their advantage.
