"DKnife" is an extremely complex attack framework that targets Linux-based devices, such as routers and edge devices This article explores dknife attacks framework. . Using seven Linux-based implants, this adversary-in-the-middle (AitM) framework allows attackers to perform deep packet inspection (DPI), alter network traffic, and infect compromised devices with malicious software.

At least since 2019, the DKnife framework has been in use, and as of January 2026, its command-and-control (C2) servers remain operational. Details of the DKnife Framework PCs, mobile devices, and Internet of Things (IoT) devices are among the many Linux-based devices that are the main targets of the DKnife attacks. The framework is made up of several parts, each of which is intended to carry out particular tasks. Among the most noteworthy features are the distribution of backdoors such as ShadowPad and DarkNimbus and the exploitation of Windows and Android application updates.

Sensitive data is stolen and remote access is established via these backdoors. The manifest response for DKnife's Android application update (Source: talosintelligence) is closely related to other cyber campaigns. The connection between DKnife and the WizardNet backdoor, which was previously connected to another AitM framework named Spellbinder, is among the most important connections Talos found.

This shared infrastructure suggests that the two frameworks may be operationally or developmentally related. DKnife's focus on Chinese-speaking users is among its most notable features. Data exfiltration from well-known Chinese mobile applications like WeChat and the harvesting of login credentials for Chinese-language services are examples of this targeting.

Further evidence that the tool is probably used by threat actors with a connection to China comes from the configuration files discovered in DKnife, which include references to Chinese media domains. An illustration of the use of simplified Chinese in configuration file comments. (Source: talosintelligence.)

Even though most of the evidence suggests that the DKnife campaign was directed at Chinese targets, it is important to keep in mind that some elements of the campaign, especially those connected to the WizardNet backdoor, raise the possibility that the actors may be acting more regionally and impacting nations other than China, like the Philippines, Cambodia, and the United Arab Emirates. DNS and Deep Packet Inspection The act of stealing Deep packet inspection is a key component of the DKnife framework's attack strategy. DKnife can perform DNS hijacking and real-time traffic monitoring once a device has been compromised.

The attackers can reroute traffic and control communication between compromised devices and trustworthy websites thanks to this hijacking. An excerpt of DKnife code demonstrating the handler for "Obtain C2" requests from the DarkNimbus Windows version (Source: talosintelligence) DKnife, for instance, has the ability to intercept requests for updates to Android applications. In order to install a backdoor onto a user's device, DKnife takes control of the manifest and substitutes a malicious download for the requested update.

Because the victim thinks they are downloading a genuine update, this technique works very well. According to Talos Intelligence, DKnife can also be used to take control of Windows binary downloads.

It has been demonstrated to alter download URLs and introduce malware into the victim's computer by either rerouting users to malicious websites or substituting malicious software installers for genuine ones. These elements work together to create an extremely effective attack platform that can deliver malware, hijack traffic, and retrieve important user data. DKnife can target both individuals and organizations by using DNS manipulation and Android application update hijacking to covertly install backdoors and compromise private data.

The discovery of DKnife exposes a new degree of sophistication in cyberattacks, where adversaries compromise network devices by using custom malware delivery, traffic manipulation, and deep packet inspection. It is obvious that routers, edge devices, and other network infrastructure need to be continuously watched in order to identify and counteract these threats as they develop.