{"id":210764,"date":"2026-02-06T13:35:00","date_gmt":"2026-02-06T18:35:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/06\/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware\/"},"modified":"2026-02-06T15:00:10","modified_gmt":"2026-02-06T20:00:10","slug":"dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/06\/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware\/","title":{"rendered":"DKnife Linux toolkit hijacks router traffic to spy, deliver malware"},"content":{"rendered":"

DKnife Linux toolkit hijacks router traffic to spy, deliver malware<\/a><\/p>\n

https:\/\/www.bleepingcomputer.com\/news\/security\/dknife-linux-toolkit-hijacks-router-traffic-to-spy-deliver-malware\/<\/a><\/p>\n

Publish Date: 2026-02-06 13:35:00<\/a><\/p>\n

Source Domain: www.bleepingcomputer.com<\/a><\/p>\n

\n

A newly discovered toolkit called DKnife has been used since 2019 to hijack traffic at the edge-device level and deliver malware in espionage campaigns.<\/p>\n

The framework serves as a\u00a0post-compromise framework for traffic monitoring and adversary-in-the-middle (AitM) activities. It is designed to intercept and manipulate traffic destined for endpoints (computers, mobile devices, IoTs) on the network.<\/p>\n

Researchers at Cisco Talos say that DKnife is an ELF framework with seven Linux-based components designed for deep packet inspection (DPI), traffic manipulation, credential harvesting, and malware delivery.<\/p>\n

\"Wiz\"<\/p>\n

The malware features Simplified Chinese language artifacts in component names and code comments, and explicitly targets Chinese services such as email providers, mobile apps, media domains, and WeChat users.<\/p>\n

Talos researchers assess with high confidence that the operator of DKnife is a China-nexus threat actor.<\/p>\n

\"DKnife'sDKnife’s seven components and their functionality<\/strong>
Source: Cisco Talos<\/p>\n

Researchers couldn’t determine how the network equipment is compromised, but found that DKnife\u00a0delivers and interacts with the ShadowPad and DarkNimbus backdoors, both associated with Chinese threat actors.<\/p>\n

DKnife consists of seven modules, each responsible for specific activities related to communication with the C2 servers, relaying or altering\u00a0traffic, and hiding the malicious traffic origin:<\/p>\n