DKnife gateway-monitoring malware framework
Malware Activity
Summary
Hide ▲
Show ▼
The discovery of DKnife exposes a long-running malware framework that has remained active since at least 2019, raising the risk of gateway-level traffic interception on compromised Linux routers and edge devices. It is designed for deep packet inspection, traffic hijacking, and malicious payload delivery, making it a serious edge-network threat. Researchers assess with high confidence that it is tied to Chinese-nexus threat actors and that it targets Chinese-speaking users. Its persistence suggests an established operational capability rather than a one-off tool.
Related Happenings
ScarCruft sqgame[.]net supply-chain espionage campaign
Campaign
First: 05.05.2026 12:07
Last: 05.05.2026 12:07
Sources 1
About this happening:
**ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
ScarCruft sqgame[.]net supply-chain espionage campaign
CampaignAbout this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityAbout this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
Electrum and Kamicite destructive OT/ICS campaign
Campaign
First: 17.02.2026 23:31
Last: 17.02.2026 23:31
Sources 1
About this happening:
A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
Electrum and Kamicite destructive OT/ICS campaign
CampaignAbout this happening: A **2025 destructive campaign** tied to **Electrum** and **Kamicite** combined **persistent scanning** with attacks that could disrupt industrial and communications infrastructure...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
First: 06.02.2026 16:56
Last: 06.02.2026 16:56
Sources 1
About this happening:
Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
DKnife Linux AitM malware activity targeting routers and edge devices
Malware ActivityAbout this happening: Researchers disclosed **DKnife**, a **China-nexus AitM framework** active since **at least 2019**, because it can **inspect packets, hijack downloads, and deliver malware** across...
Timeline
-
06.02.2026 19:00 1 articles · 3mo ago
Cisco Talos publishes DKnife technical analysis
Technical Analysis UpdateCisco Talos published technical details about DKnife on February 5, describing a previously hidden Linux-based gateway-monitoring and adversary-in-the-middle framework used since at least 2019 and still active in January 2026. The framework targets Chinese-speaking users, was assessed with high confidence as built by Chinese-nexus threat actors, and runs on compromised routers or edge devices to monitor, manipulate, and hijack network traffic through deep packet inspection, traffic interception, and malicious payload delivery. The framework is made up of seven ELF binaries and shares infrastructure overlaps with a campaign delivering WizardNet and Spellbinder.
Show sources
- Chinese-Made Malware Kit Targets Chinese-Based Routers and Edge Devices — www.infosecurity-magazine.com — 06.02.2026 19:00