A previously undocumented China-linked adversary-in-the-middle framework called DKnife has operated on network gateways since at least 2019 and remained active in early 2026, intercepting and manipulating in-transit traffic.
KEY FACTS
- Threat DKnife adversary-in-the-middle framework
- Active since at least 2019 and active in early 2026
- Target network gateways and other edge devices rather than endpoints
- Capabilities DPI, credential interception, update hijacking and DNS manipulation
DKnife is modular and Linux based and is deployed on edge devices to give operators visibility and control over traffic flows instead of compromising endpoints directly.
A technical analysis by Cisco Talos reported that the framework includes seven Linux ELF components that perform deep packet inspection, data reporting, reverse proxying for AitM attacks, malicious APK delivery, framework updates, traffic forwarding and a peer to peer command and control channel, and that the campaign delivered known backdoors such as ShadowPad and DarkNimbus while showing configuration data and code comments in Simplified Chinese.
Once deployed on a gateway the framework can inspect unencrypted and decrypted flows to selectively modify responses and redirect legitimate software update requests to attacker controlled servers to deliver secondary payloads posing as trusted updates.
DKnife also supports DNS manipulation, binary replacement and selective traffic forwarding. It contains a module that disrupts antivirus and PC management communications by matching specific HTTP headers and sending crafted TCP reset packets to break connections to identified services.
Indicators of compromise and ClamAV signatures accompany the analysis to help detection and blocking of the framework.
WHY IT MATTERS
Because DKnife operates on gateways it can compromise many downstream systems without direct endpoint access. The published indicators and signatures provide defenders with artifacts to hunt for and block the tool.