Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Adversary In The Middle. Show all posts
Traffic Manipulation
Adversary In The Middle China Linked APT DarkNimbus DKnife Framework malware Network Edge Attacks Router Hijacking ShadowPad Traffic Manipulation

China-Linked DKnife Threat Underscores Risks to Network Edge Devices

 


Despite adversaries increasing their focus on the network edge, recent findings suggest a sustained and deliberate effort to weaponize routing infrastructure itself for surveillance and delivery purposes. An attacker can observe, modify, and selectively redirect data streams in transit by embedding malicious logic directly into traffic paths rather than relying on endpoint compromise. 

This evolution is reflected in the development of the DKnife framework, which has transformed attacker-in-the-middle capabilities into modular, long-lived platforms that are designed to be persistent, stealthy, and operationally flexible. 

Through the framework's ability to operate at a level where legitimate traffic aggregation and inspection already take place, the line between benign network functionality and hostile control is blurred, enabling malware deployment and long-term monitoring across a variety of device classes and user environments targeted at targeted users. 

According to cybersecurity researchers, DKnife is an adversary-in-the-middle framework that has operated from at least 2019 to maintain router-centric infrastructure by threat actors who have been found to be linked to China. 

In order to enable deep packet inspection, selective traffic manipulation, and covert delivery of malicious payloads, seven Linux-based implants are installed on gateways and edge devices. Several code artifacts and telemetry indicate a clear focus on Chinese-speaking users, including credential-harvesting components tailored specifically for Chinese email services, data exfiltration modules specifically targeted at popular mobile applications, and hard-coded references to domestic media domains buried within the implants. 

It is argued that DKnife's potential strategic value lies in its ability to act as a conduit between legitimate update and download channels and users. As the framework intercepts binary transfers and mobile application updates in transit, it is possible to deploy and manage established backdoors across a broad range of endpoints ranging from desktop systems to mobile devices to Internet of Things environments, including ShadowPad and DarkNimbus. 

According to Cisco Talos, the activity has been associated with the ongoing tracking of a Chinese threat cluster dubbed Earth Minotaur, previously associated with exploit kits like MOONSHINE as well as backdoors like DarkNimbus. The reuse of DarkNimbus is noteworthy, as the malware has also been found in operations attributed to another Chinese advanced persistent threat group, The Wizards, indicating the possibility of sharing tools or infrastructure among these groups. 

Upon further analysis of the infrastructure, it was revealed that DKnife-associated resources overlapped with those connected to WizardNet, a Windows implant deployed by TheWizards through an AitM framework called Spellbinder, which was publicized in 2025. This led to additional connections between DKnife-associated systems and WizardNet resources. 

As Cisco cautions, current insights into DKnife's targeting may be incomplete due to the fact that the configuration data obtained from a single command-and-control server provide limited information about its target market of Chinese-speaking users. It is possible that parallel servers exist to support operations in other regions as well. 

Due to The Wizards' history of targeting individuals and gambling-related entities across Southeast Asia, Greater China, and the Middle East, the convergence of infrastructure and tactics is significant, highlighting the wider implications of DKnife as a traffic hijacking platform with reusable, regionally adaptable features. 

Although researchers have not determined the exact vector used to compromise network equipment, researchers have established that DKnife functions to deliver and control backdoors known as ShadowPad and DarkNimbus, both of which have been used by Chinese-allied threat actors for decades. A technical analysis reveals that there are seven discrete modules in the framework. 

Each module is designed to support a particular operational role, such as traffic inspection, manipulation, and control-and-control messages, as well as origin obfuscation. In addition to packet inspection and attack logic, the system includes relay services to facilitate communication with remote C2 servers as well as a customized reverse proxy derived from HAProxy to mask and manage malicious traffic flows. 

Additionally, DKnife extends its capabilities beyond passive monitoring with additional modules. An attacker is able to establish a virtual Ethernet TAP interface on the compromised router and connect it directly to the local network, effectively placing themselves in the data path of internal communications.

In addition, there are third parties who provide peer-to-peer VPN connectivity using modified n2n software, coordinate the download and update of malicious Android applications, and manage the deployment of the DKnife implants themselves. 

Together, these elements provide a range of tools for a wide range of activities, including DNS hijacking, intercepting legitimate binary and application updates, selectively disrupting security-related traffic, and exfiltrating detailed user activity to external command infrastructures. In addition to intercepting and rewriting packets destined for their original hosts once activated on a device, DKnife also uses its network-bridging capabilities to substitute malicious payloads during transit transparently. 

Through this technique, weaponized APK files can be delivered to Android devices as well as compromised binaries to Windows systems connected to the affected network using this technique. Research conducted by Cisco Talos demonstrated instances in which the framework first installed ShadowPad backdoors for Windows, signed by Chinese certificates, followed by the installation of DarkNimbus backdoors to establish long-term access. 

Unlike secondary droppers, DarkNimbus was delivered directly to Android environments through the manipulated update channel. It was further revealed by investigators that infrastructure was associated with a framework hosting the WizardNet backdoor, a Windows implant previously associated with Spellbinder AitM. This confirmed the link between DKnife and previously documented adversary-in-the-middle attacks. 

Incorporating these tools within the same operational environment implies that development resources will likely be shared or infrastructure will be coordinated. As a result, threat actors are becoming increasingly sophisticated in their use of compromised network devices as covert malware distribution channels as opposed to utilizing endpoints to spread malware. 

The Cisco Talos team further concluded that DKnife is capable of intercepting Windows binary downloads in addition to mobile ecosystems. As observed, the framework was capable of manipulating download URLs in transit, either substituting legitimate installers for trojanized counterparts or redirecting users to malicious distribution points controlled by the attackers. 

In combination with its DNS manipulation capabilities and control over application update channels, DKnife provides an extensive traffic-hijacking platform that can silently deliver malware while maintaining the appearance of normal network behavior.

The framework's components work together to create a continuous attack system at the network gateway that functions in conjunction with each other. Moreover, DKnife offers a broad range of secondary functionality in addition to payload delivery, such as credential harvesting through decrypted POP3 and IMAP sessions, hosting phishing pages, selectively disrupting antivirus and security product traffic, and detailed user activity monitoring. 

Several applications and services were observed to collect telemetry, including messaging platforms, navigation tools, news consumption, telephony, ridesharing, and online shopping, by researchers. In particular, WeChat was observed to receive significant attention, with the framework tracking voice and video calls, message content, media exchanges, and articles accessed through the application. The placement of DKnife on gateway devices permits near real-time visibility into user behavior. 

Activity events are processed internally across the framework's modular components first before being exfiltrated via structured HTTP POST requests to dedicated API endpoints and then forwarded to remote command-and-control infrastructure. 

A significant reduction in the need for persistent malware on individual endpoints is achieved through this architecture, which allows attackers to correlate traffic flows and user actions as packets traverse the network. Researchers note that this approach reflects a greater trend towards infrastructure-level compromise, which is the use of routers and edge devices as persistent delivery platforms for malware. 

According to Cisco Talos, DKnife-associated command-and-control servers remain active as of January 2026, highlighting the continued nature of this threat. An exhaustive set of indicators of compromise has been developed by the firm to assist defenders in identifying compromised systems, as well as emphasizing the need to pay increased attention to network infrastructure as adversaries continue to utilize its unique position within modern digital environments to their advantage.
Read more »
VoidProxy
Adversary In The Middle CloudFlare Cyber Attacks Cybersecurity identity management MFA Multi Factor Authentication phishing Session Hijacking VoidProxy

VoidProxy Phishing Platform Emerges as Threat Capable of Bypassing MFA


 

Researchers in the field of cybersecurity are warning that a sophisticated phishing-as-a-service (PhaaS) platform known as VoidProxy is being used by criminal groups for the purpose of evading widespread security controls and is demonstrating just how far this technology has advanced in criminal groups' ability to circumvent widely deployed security controls. 

In the form of a specialised tool developed by cybercriminals to target high-value accounts neutralising the defences of multi-factor authentication (MFA), VoidProxy is specifically designed and marketed for cybercriminals. There is no question that VoidProxy, developed by researchers at Okta, the identity and access management company, is different from any other phishing kit out there. 

Rather than relying on advanced infrastructures and evasion techniques, it combines these attributes with commoditised accessibility to make it both effective and dangerous even for relatively low-skilled attackers. In particular, VoidProxy makes a great deal of sense because it relies heavily on adversary-in-the-middle (AiTM) phishing, a method of intercepting authentication flows in real time, which makes it particularly alarming. 

Using this method, cybercriminals are not only able to capture credentials, but they can also take possession of multi-factor authentication codes and session tokens generated during legitimate sign-in transactions. By bypassing these common authentication methods, VoidProxy can bypass the security measures offered by SMS-based codes and one-time passwords from authenticator apps, which are typically relied upon by organisations and individuals as a last resort. 

When it comes to VoidProxy's infrastructure, it demonstrates a combination of sophistication and cost-effectiveness that is second to none. This phishing site is hosted by its operators using low-cost top-level domains like .icu, .sbs, .cfd, .xyz, .top, and .home, making it easy to use and easily trackable. It is also important to note that the phishing content, delivered through Cloudflare's reverse proxy services, further obscures the phishing site's actual infrastructure. 

It is a layering of concealment that ensures researchers and defenders cannot determine the true IP address. The combination of this layering of concealment, in combination with its highly deceptive email campaigns, makes VoidProxy one of the most troubling emergences in the phishing service industry. In spite of the fact that the operation has never been reported until now, it demonstrates a level of maturity that is not often found in other phishing kits. 

Researchers at OKTA found that VoidProxy is capable of scaling attacks against large groups of victims, targeting enterprise users, who represent an invaluable entry point for fraud and data theft. In order to intercept authentication traffic, the service inserts itself between the victim and the authenticating service, thereby intercepting authentication traffic. As soon as credentials and multi-factor authentication data are captured, attackers can gain persistent access to a victim’s account, bypassing any protections that would otherwise make it difficult for them to access their account. 

It was only after Okta’s FastPass technology, a passwordless authentication service, identified and blocked a suspicious sign-in attempt via VoidProxy’s proxy network that a discovery of this kind was made. Researchers were able to unravel a much larger ecosystem of campaigns as a result of that single discovery, revealing a set of administrative panels and dashboards that cybercriminals were renting access to the service through the use of this service.

In recent days, the senior vice president of threat intelligence at Okta, Brett Winterford, described VoidProxy as “an example of phishing infrastructure that has been observed in recent years.” Both its ability to bypass the multi-factor authentication and its elaborate anti-analysis mechanisms have been criticised by Winterford. 

The VoidProxy phishing kit offers many layers of obfuscation, which differs from traditional phishing kits that can often be dismantled by tracking servers and blocking malicious domains. Phishing lures are sent through compromised email accounts, multiple redirect chains that make analysis a challenge, Cloudflare CAPTCHA, Workers that inspect and filter incoming traffic, and dynamic DNS that ensures the infrastructure is fast-moving. 

Using these techniques, the operation remained a secret until Okta discovered the operation, but the sophistication of the kit extended far beyond its technical defences. There are many ways attackers can distribute VoidProxy campaigns. The first is by sending phishing emails from compromised accounts linked to legitimate marketing and communication systems, such as Constant Contact, Active Campaign, and Notify Visitors, that are connected to VoidProxy campaigns. 

It is based on the reputation of established service providers that these lures will have a higher probability of escaping spam filters, allowing them to reach the inboxes of targeted users as soon as they click through, providing credentials. VoidProxy's response depends on what authentication the victim has configured.

Users who authenticate through single sign-on (SSO) are forwarded to phishing websites that are designed to harvest additional information from users, while non-federated users are directed directly to legitimate Microsoft and Google servers, while the phishing sites are designed to harvest additional information from users. In the end, affiliates deployed VoidProxy to harvest cookies through the AiTM proxy, which is hosted on an ephemeral infrastructure supported by dynamic DNS, thereby completing the final stage of the attack. 

By hijacking authenticated sessions through session cookies, attackers are able to gain access to the same level of functionality as legitimate users without the need to submit credentials repeatedly. Therefore, attackers can operate undetected until security teams detect unusual behaviour, resulting in the attacker inheriting trusted access. 

In addition to its accessibility, VoidProxy offers an administrative panel that enables paying affiliates to monitor the progress of their campaigns, as well as victim data. Due to the ease with which advanced phishing campaigns are conducted, a broader set of actors—from organised cybercrime groups to less sophisticated attackers- can engage in them as they become more familiar with the technology. 

Despite the fact that VoidProxy is a new and dangerous entrant into the phishing landscape, researchers emphasise the fact that not all defences against it are ineffective. Authenticators which are phishing-resistant, such as hardware security keys, passkeys, and smart cards, are proven to be able to block attackers from hijacking credentials or signing in through proxy infrastructure by preventing the attack. 

As a result of the research conducted by OKTA, it has been demonstrated that users equipped with these advanced authentication systems are less likely to be hacked or to be compromised via VoidProxy, but most organisations continue to rely on weaker methods of multi-factor authentication, such as SMS codes, which leaves them vulnerable to data interception. 

It has been Okta's intention to inform Google and Microsoft of VoidProxy's operations, to share intelligence with its SaaS partners, as well as to issue a customer advisory in response to the discovery. In addition to adopting phishing-resistant authentication, the company recommended that enterprises also take a broad set of security measures. 

There are several ways to do this, including limiting access to devices and networks based on trust, monitoring sign-in behaviour for anomalies, and providing users with streamlined mechanisms for reporting suspicious emails or log-in attempts. Additionally, it is crucial to cultivate a culture of cybersecurity awareness at the company. 

Employees should be trained on how to recognise phishing emails, suspicious login prompts, and common social engineering techniques, which can often lead to compromise in the organisation. Additionally, VoidProxy's rise also demonstrates a wider industry problem that the industry faces today: the proliferation of platform-based PHaaS that commoditises advanced attack techniques into a commodity. 

Other kits, such as EvilProxy, which was first reported in 2022, and Salty2FA, which was discovered earlier this year, have also demonstrated similar capabilities to bypass multi-factor authentication and hijack sessions in the past few years. In each successive platform, the stakes are raised for defenders, as techniques that were once reserved for highly skilled adversaries have become widely accessible to anyone willing to pay for access, which has raised the stakes for defenders. 

By lowering the technical barrier, these services are increasing the pool of attackers, resulting in an increase in phishing campaigns that are more effective than ever before, harder to detect, and more persistent in nature, and have a greater impact. With the emergence of VoidProxy, a critical change has been wrought in the cyber threat landscape that calls for a new approach to enterprise security. 

Legacy defences that depend solely on passwords or basic multiple-factor authentication methods will not suffice in the face of such adaptive adversaries. As a result of these threats, organisations need to create layers of security strategies, which are combined with proactive resilience, in order to protect themselves. 

Authenticators that can resist phishing attacks are essential for protecting the network from cyber threats, but in addition to them, businesses must be able to detect anomalies continuously, implement rapid incident response capabilities, and train their employees adequately. Collaboration across the cybersecurity ecosystem is also crucial. 

There is nothing more important than the importance of intelligence-sharing between vendors, enterprises, and researchers, as early detection of emerging threats and coordinated action can significantly reduce the damage caused by them. 

In today's rapidly evolving PhaaS platforms, enterprises have to change their approach from reactive defence to proactive adaptation, ensuring they are not just prepared to withstand today's attacks, but also prepared to anticipate tomorrow's attacks. Getting the most out of security is crucial in a digital world where trust itself has become one of the main targets. To be secure, one must be able to maintain agility and resilience.
Read more »
Subscribe to: Comments (Atom)