‘DKnife’ Implant Used by Chinese Threat Actor for Adversary-in-the-Middle Attacks

For well over half a decade, a China-linked threat actor has been operating a gateway-monitoring and adversary-in-the-middle (AitM) framework to deliver and interact with backdoors, Cisco’s Talos researchers warn.

Dubbed DKnife, the framework consists of seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery, and has been active since at least 2019.

The framework mainly targets Chinese-speaking users, delivering and interacting with backdoors such as ShadowPad and DarkNimbus on desktop, mobile, and IoT devices.

DarkNimbus, also known as DarkNights, is supplied by the Chinese firm UPSEC, which was previously associated with the Chinese APT TheWizards, the operator of the Spellbinder AitM framework.

According to Talos, there are overlaps between DKnife and Spellbinder TTPs, and the WizardNet backdoor has been distributed by DKnife, suggesting “a shared development or operational lineage”.

The same as Spellbinder, DKnife targets Chinese platforms and applications, including mail and messaging services. Its ...