{"id":4411,"date":"2026-02-06T20:37:43","date_gmt":"2026-02-06T20:37:43","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/02\/06\/chinese-made-malware-kit-targets-chinese-based-routers-and-edge-devices\/"},"modified":"2026-02-06T20:37:43","modified_gmt":"2026-02-06T20:37:43","slug":"chinese-made-malware-kit-targets-chinese-based-routers-and-edge-devices","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2026\/02\/06\/chinese-made-malware-kit-targets-chinese-based-routers-and-edge-devices\/","title":{"rendered":"Chinese-Made Malware Kit Targets Chinese-Based Routers and Edge Devices"},"content":{"rendered":"
\n
\n

A malware framework that remained hidden for years has been discovered by security researchers at Cisco Talos.<\/p>\n

The researchers were hunting for samples of DarkNimbus, a\u00a0backdoor linked to the\u00a0MOONSHINE\u00a0exploit kit which have both been known about since 2023, , when they found a fully featured\u00a0gateway-monitoring and\u00a0adversary-in-the-middle (AitM)\u00a0framework they had never seen before.<\/p>\n

Cisco Talos researchers have shared technical details about this framework, which they dubbed DKnife, in a new report published on February 5.<\/p>\n

Used since at least 2019 and still active in January 2026, DKnife targets Chinese-speaking users and the Talos researchers assessed \u201cwith high confidence\u201d that it was made by Chinese-nexus threat actors.<\/p>\n

This assessment is based on\u00a0\u201cthe language used in the\u00a0code, configuration\u00a0files\u00a0and the\u00a0ShadowPad\u00a0malware delivered in the campaign.<\/p>\n

The researchers also discovered overlaps in DKnife\u2019s infrastructure and a campaign delivering\u00a0WizardNet,<\/u>\u00a0a modular backdoor known to be delivered by Spellbinder, a different\u00a0AiTM\u00a0framework,\u00a0suggesting\u00a0a shared development or operational lineage.<\/p>\n

DKnife Capabilities Explained<\/strong><\/h2>\n

DKnife is a Linux-based (x86-64) framework designed for gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic on compromised routers or edge devices.<\/p>\n

It is made up of seven executable and linkable format (ELF) binaries that operate together to carry out deep packet inspection (DPI), traffic interception and malicious payload delivery.<\/p>\n<\/p><\/div>\n

\"Example
Example of an Android APK download hijacking workflow using DKnife. Source: Cisco Talos<\/figcaption><\/figure>\n
\n

The framework is designed for Linux-based firmware, especially systems running CentOS or Red Hat Enterprise Linux and includes support for point-to-point protocol over ethernet (PPPoE), virtual local area network (VLAN) tagging and bridged interfaces. This makes it particularly effective for exploiting routers and similar network devices.<\/p>\n

The framework performs several key functions including serving command and control (C2) updates for backdoors such as DarkNimbus and ShadowPad.<\/p>\n<\/p><\/div>\n

\"Shadowpad
Shadowpad and DarkNimbus backdoor delivered by DKnife. Source: Cisco Talos<\/figcaption><\/figure>\n
\n

It also enables domain name system (DNS) hijacking and the interception of legitimate downloads for Android applications and Windows binaries to substitute them with malicious payloads.<\/p>\n

DKnife can disrupt traffic from security products like antivirus updates and exfiltrate user activity to remote C2 servers. Its modular architecture and phishing templates allow for both covert monitoring and active in-line attacks which makes it a powerful tool for maintaining persistent access to compromised networks.<\/p>\n

\u201cOverall, the evidence suggests a well-integrated and evolving toolchain of\u00a0AitM\u00a0frameworks and backdoors, underscoring the need for continuous visibility and monitoring of routers and edge infrastructure,\u201d the Talos researchers concluded.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

A malware framework that remained hidden for years has been discovered by security researchers at Cisco Talos. The researchers were hunting for samples of DarkNimbus, a\u00a0backdoor linked to the\u00a0MOONSHINE\u00a0exploit kit which have both been known about since 2023, , when they found a fully featured\u00a0gateway-monitoring and\u00a0adversary-in-the-middle (AitM)\u00a0framework they had never seen before. Cisco Talos researchers<\/p>\n","protected":false},"author":2,"featured_media":4412,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4411","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"featured_image_urls":{"full":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"thumbnail":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9-150x150.jpg",150,150,true],"medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"medium_large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"1536x1536":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"2048x2048":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"morenews-featured":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"morenews-large":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"morenews-medium":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9.jpg",300,300,false],"crawlomatic_preview_image":["http:\/\/ft365.org\/wp-content\/uploads\/2026\/02\/4411-f9975536-657a-4f3b-9706-b59f0c06aff9-146x146.jpg",146,146,true]},"author_info":{"display_name":"henry","author_link":"http:\/\/ft365.org\/index.php\/author\/henry\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","_links":{"self":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4411","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/comments?post=4411"}],"version-history":[{"count":0,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/posts\/4411\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media\/4412"}],"wp:attachment":[{"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/media?parent=4411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/categories?post=4411"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/ft365.org\/index.php\/wp-json\/wp\/v2\/tags?post=4411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}