A comprehensive analysis of a long-running cyber-espionage campaign has unveiled a previously undocumented adversary-in-the-middle (AitM) framework operated by threat actors linked to China, representing a significant evolution in network-level intrusions. This sophisticated toolkit, active since at least 2019 and observed to be operational into early 2026, is engineered for deployment at network gateways, providing attackers with a powerful and clandestine vantage point. From this strategic position, operators can intercept, inspect, and manipulate the in-transit traffic of a wide array of devices, including personal computers, mobile phones, and Internet of Things (IoT) hardware. This approach is particularly insidious because it allows the compromise of downstream systems without the need to directly target and exploit individual endpoints, turning a network’s own infrastructure into a weapon against its users and undermining the very foundation of trusted digital communication.
Anatomy of a Network-Level Threat
The DKnife framework is a highly modular, Linux-based system meticulously designed to execute a range of malicious activities, from deep packet inspection (DPI) and credential interception to the injection of malicious content into legitimate data streams. Its architecture is composed of seven distinct Linux ELF (Executable and Linkable Format) components, each serving a specialized purpose. Together, these modules form a cohesive and powerful toolkit: a sophisticated DPI engine analyzes traffic, a data reporting mechanism exfiltrates stolen information, and a reverse proxy facilitates the core adversary-in-the-middle attacks. Additional components are dedicated to serving malicious Android Application Packages (APKs), managing framework updates, forwarding traffic with granular control, and establishing a resilient peer-to-peer (P2P) communication channel with the remote command and control (C2) server. This modular design provides the operators with flexibility and resilience, allowing them to adapt their attacks to different network environments and objectives.
Once deployed on a compromised network gateway or a similar edge device, DKnife’s true power is unleashed as it inspects both unencrypted and decrypted traffic flows in real time. This capability enables its operators to selectively modify server responses before they ever reach their intended recipients, effectively poisoning the data stream. A primary attack vector observed in the wild involves the hijacking of legitimate software update requests. The framework intercepts these requests and redirects them to attacker-controlled servers, which then deliver secondary payloads disguised as trusted updates. This method was used to deploy and interact with well-known backdoors such as ShadowPad and DarkNimbus, compromising systems that believed they were receiving legitimate software patches. Beyond this potent technique, the framework’s capabilities extend to DNS manipulation, on-the-fly binary replacement for a wide range of files, and selective traffic forwarding, granting attackers unparalleled control over a network’s communications.
Tracing the Framework’s Origins
Researchers assess with high confidence that DKnife is operated by China-nexus threat actors, a conclusion supported by multiple converging lines of evidence discovered within the framework’s code and operational data. A direct linguistic link was established through configuration files and code comments written in Simplified Chinese. Furthermore, the framework’s internal logic was specifically tailored to handle communications with Chinese-language email providers and mobile applications, indicating that its developers possessed a deep, intrinsic understanding of the regional technology ecosystem. The tool also includes features explicitly designed for credential collection from online services predominantly used within China, suggesting a targeted intelligence-gathering objective aimed at a specific user base. This connection to China-aligned actors is further solidified by the fact that DKnife campaigns were confirmed to be delivering malware families, most notably ShadowPad, which have a long and documented history of being used in operations attributed to Chinese state-sponsored groups over many years.
A key feature that underscores the sophistication of the DKnife framework is its built-in capability to actively sabotage security and system management tools, thereby evading detection and weakening the security posture of the targeted network. A dedicated traffic inspection module is designed to identify and disrupt communications related to specific antivirus and PC-management software. Research highlights that the framework actively targets 360 Total Security, a popular antivirus product, by inspecting specific HTTP headers like DPUname and x-360-ver and matching known service domains associated with the security software. Upon detection, DKnife sends crafted TCP reset packets to abruptly terminate the connection, preventing the security tool from communicating with its servers for critical updates or threat reporting. Similar disruptive behavior was observed targeting Tencent services and other PC management endpoints, demonstrating a deliberate and systematic effort by the operators to maintain their foothold and operate undetected within the compromised environment for extended periods.
Implications for Network Defense
The comprehensive investigation uncovered technical overlaps between DKnife and other adversary-in-the-middle frameworks, suggesting a potential shared lineage or collaboration among threat groups. Researchers identified a distinct link between DKnife and a separate campaign that delivered WizardNet, a modular backdoor known to be associated with an AitM framework called Spellbinder. This connection indicated that the threat actors behind these sophisticated tools may have shared development resources, operational infrastructure, or tactical knowledge, pointing toward a more mature and collaborative ecosystem of cyber-espionage tooling than previously understood. In response to these findings, a detailed list of indicators of compromise (IoCs) was released to the security community, including specific file hashes, network artifacts, and command-and-control infrastructure. Alongside these IoCs, a set of ClamAV signatures was developed and distributed, providing defenders with tangible tools designed to detect and block this pervasive and dangerous network-level threat.
