Overview
- Talos describes DKnife as a gateway-focused toolkit made up of seven Linux implants that run on routers and edge devices for deep packet inspection, traffic manipulation, and malware delivery.
- The framework hijacks DNS over IPv4 and IPv6, replaces Android application updates and Windows binary downloads, and monitors user activity in real time.
- Operators use DKnife to deliver ShadowPad and DarkNimbus, with Talos noting DarkNimbus is supplied by Chinese firm UPSEC.
- Infrastructure overlaps link DKnife to the Spellbinder ecosystem and TheWizards, including an IP hosting the WizardNet backdoor previously deployed via Spellbinder.
- Evidence points to targeting of Chinese-speaking users and services, including credential harvesting via TLS termination for a major Chinese email provider, though prior WizardNet use in the Philippines, Cambodia, and the UAE suggests broader reach.