DKnife Linux AitM malware activity targeting routers and edge devices
Malware Activity
Summary
Hide ▲
Show ▼
Researchers disclosed DKnife, a China-nexus AitM framework active since at least 2019, because it can inspect packets, hijack downloads, and deliver malware across routers and edge devices. The framework also reaches PCs, mobile devices, and IoT devices, making the operational impact broader than a single network segment. Its credential-harvesting and traffic-manipulation functions increase the risk of account theft, malicious redirects, and payload delivery. The activity matters because it shows a persistent, modular toolset built for in-line interception and malware staging.
Related Happenings
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware Activity
First: 05.05.2026 13:03
Last: 05.05.2026 13:03
Sources 1
About this happening:
The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
CloudZ RAT Pheno Microsoft Phone Link credential-theft activity
Malware ActivityAbout this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 23.04.2026 23:52
Last: 23.04.2026 23:52
Sources 1
About this happening:
**China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...
China-nexus hijacked-device proxy network campaign
Campaign
First: 23.04.2026 15:28
Last: 23.04.2026 15:28
Sources 1
About this happening:
China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
China-nexus hijacked-device proxy network campaign
CampaignAbout this happening: China-nexus hackers are **increasingly using** large-scale proxy networks of hijacked consumer devices to **evade detection**, making malicious traffic harder to trace and block....
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive Guidance
First: 22.04.2026 19:30
Last: 22.04.2026 19:30
Sources 1
About this happening:
Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
MacOS LOTL detection and hardening guidance against native-tool abuse
Defensive GuidanceAbout this happening: Defensive guidance now pushes **macOS** security teams to detect native-tool abuse by shifting toward **process lineage analysis**, because attackers are using built-in features t...
RondoDox botnet expands mining and DDoS capabilities
Malware Activity
First: 16.04.2026 20:52
Last: 16.04.2026 20:52
Sources 1
About this happening:
**RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
RondoDox botnet expands mining and DDoS capabilities
Malware ActivityAbout this happening: **RondoDox botnet** now combines **cryptocurrency mining with XMRig** and **DDoS attacks**, expanding both monetization and disruption risk across exposed systems. It reaches targ...
Timeline
-
06.02.2026 16:56 1 articles · 3mo ago
DKnife Linux AitM malware activity targeting routers and edge devices
Initial DisclosureThe earliest visible phase is a **router- and edge-device foothold** built around **Linux implants** that support **packet inspection** and **traffic manipulation**. From that base, the operators can begin **credential harvesting** and **download hijacking** against Chinese-language targets.
Show sources
- China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery — thehackernews.com — 06.02.2026 16:56