DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
Summary
Hide ▲
Show ▼
Researchers disclosed DKnife, a China-nexus AitM framework active since at least 2019, because it can inspect packets, hijack downloads, and deliver malware across routers and edge devices. The framework also reaches PCs, mobile devices, and IoT devices, making the operational impact broader than a single network segment. Its credential-harvesting and traffic-manipulation functions increase the risk of account theft, malicious redirects, and payload delivery. The activity matters because it shows a persistent, modular toolset built for in-line interception and malware staging.
Related Happenings
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor Meta
H score29
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure
Threat Actor MetaAbout this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware Activity
H score27
First: 08.07.2026 17:30
Last: 08.07.2026 17:30
Sources 1
About this happening:
**Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH
Malware ActivityAbout this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...
UAT-7810 Operational Relay Box network-building campaign
Campaign
H score39
First: 08.07.2026 12:04
Last: 08.07.2026 12:04
Sources 1
About this happening:
An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
UAT-7810 Operational Relay Box network-building campaign
CampaignAbout this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
H score24
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
H score33
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
Timeline
-
06.02.2026 16:56 1 articles · 5mo ago
DKnife Linux AitM malware activity targeting routers and edge devices
Initial DisclosureThe earliest visible phase is a **router- and edge-device foothold** built around **Linux implants** that support **packet inspection** and **traffic manipulation**. From that base, the operators can begin **credential harvesting** and **download hijacking** against Chinese-language targets.
Show sources
- China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery — thehackernews.com — 06.02.2026 16:56