DKnife: Inside China’s Router-Based Surveillance Framework
Cisco Talos has unveiled DKnife, a sophisticated adversary-in-the-middle framework that turns routers into surveillance platforms. Active since 2019, it represents a new frontier in state-sponsored infrastructure compromise.
The Core Insight
DKnife isn’t just malware—it’s a complete surveillance ecosystem. Comprising seven Linux-based implants, it performs deep packet inspection, traffic manipulation, and targeted malware delivery through compromised routers and edge devices. The framework enables monitoring of everything from WeChat messages to shopping habits, dating app usage to email communications.
What makes DKnife particularly dangerous is its position: by compromising the router layer, attackers gain visibility into all traffic traversing the network, regardless of what device generates it—PCs, phones, IoT devices, everything.
Why This Matters
The Edge Device Threat Surface
Routers and edge devices remain prime targets in sophisticated attack campaigns. Unlike endpoint compromises that require per-device exploitation, a single router compromise can expose an entire network. DKnife exploits this asymmetry ruthlessly.
The Seven Horsemen
DKnife’s modular architecture enables precise targeting:
| Component | Function |
|---|---|
dknife.bin | Central nervous system—packet inspection, DNS hijacking, download interception |
postapi.bin | Data relay to C2 servers |
sslmm.bin | TLS termination, email decryption (modified from HAProxy) |
mmdown.bin | APK updater for mobile compromises |
yitiji.bin | Bridged TAP interface for injecting LAN traffic |
remote.bin | P2P VPN for C2 communication |
dkupdate.bin | Watchdog keeping components alive |
The Attack Vectors
DKnife’s capabilities are extensive:
– Credential harvesting: Presents its own TLS certificates, terminates POP3/IMAP connections, extracts credentials in plaintext
– Binary hijacking: Replaces legitimate Windows downloads with ShadowPad backdoor payloads
– App update interception: Hijacks Android app updates from Chinese news, e-commerce, gaming platforms
– DNS hijacking: Redirects JD.com-related domains over both IPv4 and IPv6
– AV interference: Disrupts 360 Total Security and Tencent security products
Key Takeaways
- Infrastructure overlap with TheWizards APT: DKnife shares IP addresses hosting WizardNet, linking multiple threat actors
- Chinese-speaking focus: Credential harvesting for Chinese email services, WeChat exfiltration modules, Chinese media domain references
- ShadowPad and DarkNimbus delivery: Framework delivers established backdoors via DLL side-loading
- Real-time activity monitoring: Categories include messaging, shopping, news, maps, video, gaming, dating, taxi requests
- IPv6 support: DNS hijacking works across both protocols—don’t assume IPv6 provides safety
Looking Ahead
The connection to Earth Minotaur’s MOONSHINE exploit kit and DarkNimbus backdoor places DKnife within a larger ecosystem of Chinese APT tools. The infrastructural overlap with TheWizards group suggests either shared resources or coordination between threat actors targeting similar demographics.
For defenders, the implications are clear:
1. Monitor edge devices: Router compromise exposes everything downstream
2. Verify TLS certificates: Certificate substitution is a key DKnife technique
3. Segment IoT: Don’t let compromised smart devices provide network pivot points
4. Watch for update anomalies: Legitimate-looking app updates may be malicious
The DKnife discovery reinforces a uncomfortable truth: in sophisticated threat environments, the network itself cannot be trusted. Zero-trust architectures aren’t just buzzwords—they’re defensive necessities when adversaries control the infrastructure layer.
Based on analysis of “Knife Cutting the Edge” by Cisco Talos researcher Ashley Shen
Tags: #APT #RouterSecurity #CyberEspionage #ThreatIntelligence #DKnife #IoTSecurity