SOC Prime Bias: Critical

09 Feb 2026 19:16
newspaper icon Cisco Talos Blog

Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Author Photo
Ruslan Mikhalov Chief of Threat Research at SOC Prime linkedin icon Follow
Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query


Summary

Cisco Talos uncovered DKnife, a Linux-based gateway-monitoring adversary-in-the-middle framework that tampers with traffic on routers and edge devices across exposed edge appliances while pushing ShadowPad and DarkNimbus backdoors. Active since at least 2019, its command-and-control infrastructure remained reachable into early 2026. DKnife primarily targets Chinese-speaking users and can hijack Android app updates, binary downloads, DNS queries, and even antivirus traffic. The framework is linked to the WizardNet modular backdoor and shares lineage with the Spellbinder AiTM framework.

Investigation

Talos examined ELF implants, configuration files, and network telemetry to map seven main components providing deep-packet inspection, DNS hijacking, traffic redirection, and credential harvesting. Infrastructure review surfaced multiple C2 hosts and ports used to serve malicious “updates.” The research also details how DKnife coordinates with ShadowPad and DarkNimbus, intercepts Baidu update requests, and returns forged responses to victims.

Mitigation

Block known C2 IP addresses and domains, watch for abnormal DNS answers and unusual patterns on router management interfaces, and enforce strict certificate validation to resist TLS interception. Harden router firmware, disable unneeded services, and use network segmentation to constrain lateral movement. Regularly update devices and verify router firmware signatures.

Response

If DKnife is detected, isolate the compromised device, capture memory and network logs, and cut off C2 communication. Perform forensic review of configuration files and retrieved payloads, then clean or re-image the device. Notify affected users and refresh detection signatures with the identified IOCs.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef process fill:#ffcc99 %% Nodes u2013 Attack Steps step_supply_chain["<b>Action</b> – <b>T1195.002 Supply Chain Compromise</b><br/>Hijack Android app update manifests to deliver malicious APKs."] class step_supply_chain action tool_malicious_apk["<b>Tool</b> – <b>Name</b>: Malicious APK<br/><b>Description</b>: Compromised Android package delivered via fake update."] class tool_malicious_apk tool step_persistence["<b>Action</b> – <b>T1037.004 RC Scripts</b><br/>Modify /etc/rc.local to launch DKnife binaries at boot for persistence."] class step_persistence action tool_dknife["<b>Tool</b> – <b>Name</b>: DKnife<br/><b>Description</b>: Malware binary executed from rc.local."] class tool_dknife tool step_priv_esc["<b>Action</b> – <b>T1037.004 RC Scripts</b><br/>Same rc.local modification provides elevated execution (privilege escalation)."] class step_priv_esc action step_cred_harvest["<b>Action</b> – <b>T1606 Credential Harvesting</b><br/>Host phishing pages via hijacked HTTP responses to capture user credentials."] class step_cred_harvest action step_input_capture["<b>Action</b> – <b>T1056 Input Capture</b><br/>Decrypt POP3/IMAP traffic via TLS termination to collect email credentials."] class step_input_capture action tool_haproxy["<b>Tool</b> – <b>Name</b>: Modified HAProxy<br/><b>Description</b>: Performs TLS termination and MITM for traffic interception."] class tool_haproxy tool step_network_discovery["<b>Action</b> – <b>T1016.001 Network Interface Discovery</b><br/>Deep packet inspection to collect device identifiers and user activity."] class step_network_discovery action step_active_scanning["<b>Action</b> – <b>T1595 Active Scanning</b><br/>Scan traffic for target applications and extract data."] class step_active_scanning action step_proxy["<b>Action</b> – <b>T1090 Proxy</b><br/>Use HAProxy instance as a proxy for manu2011inu2011theu2011middle attacks."] class step_proxy action step_data_staging["<b>Action</b> – <b>T1074 Data Staging</b><br/>Stage harvested data locally before exfiltration."] class step_data_staging action step_automated_exfil["<b>Action</b> – <b>T1020.001 Automated Exfiltration</b><br/>Duplicate traffic and send captured data over HTTP."] class step_automated_exfil action step_exfil_alt_proto["<b>Action</b> – <b>T1048 Exfiltration Over Alternative Protocol</b><br/>Transmit data via HTTP(S) to C2."] class step_exfil_alt_proto action step_c2["<b>Action</b> – <b>T1071.001 Web Protocols</b><br/>Communicate with C2 using HTTP(S) for updates and tasking."] class step_c2 action %% Connections u2013 Attack Flow step_supply_chain –>|delivers| tool_malicious_apk tool_malicious_apk –>|installs and triggers| step_persistence step_persistence –>|executes| tool_dknife tool_dknife –>|provides| step_priv_esc step_priv_esc –>|enables| step_cred_harvest step_cred_harvest –>|captures| step_input_capture step_input_capture –>|uses| tool_haproxy tool_haproxy –>|enables| step_network_discovery step_network_discovery –>|feeds| step_active_scanning step_active_scanning –>|identifies targets for| step_proxy step_proxy –>|facilitates| step_data_staging step_data_staging –>|prepares for| step_automated_exfil step_automated_exfil –>|sends data via| step_exfil_alt_proto step_exfil_alt_proto –>|delivers to| step_c2 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.

  • Attack Narrative & Commands:
    An attacker has deployed the DKnife framework on the compromised host. To establish C2, the framework sends short UDP “beacon” packets to three hard‑coded ports (8005, 555, 5644) on the attacker‑controlled server. The traffic is minimal, contains no payload signatures, and is crafted to blend with typical network management traffic. This matches T1037/T1547 (boot‑time script execution) because the beacon is launched at system start, and T1546.006 as the attacker relies on a “trap” – the firewall rule that watches for this specific port pattern.

  • Regression Test Script:

    # DKnife UDP beacon simulation – PowerShell
$targetIP = "192.0.2.10"   # Replace with C2 server IP
$ports    = @(8005,555,5644)

foreach ($port in $ports) {
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $payload   = [Text.Encoding]::ASCII.GetBytes("DKnifeBeacon")
    $udpClient.Send($payload, $payload.Length, $targetIP, $port)
    $udpClient.Close()
    Write-Host "Sent beacon to $targetIP:$port"
    Start-Sleep -Seconds 2   # spacing to mimic real beacon cadence
}

  • Cleanup Commands:

    # No persistent changes were made; just ensure no lingering sockets.
Get-NetUDPEndpoint | Where-Object { $_.LocalPort -in 8005,555,5644 } | Stop-Process -Force
Write-Host "Cleanup complete – no lingering UDP endpoints."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free