Find notable cyber news and cases, enriched with sources, timelines, and signals.

DKnife Linux AitM malware activity targeting routers and edge devices

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Researchers disclosed DKnife, a China-nexus AitM framework active since at least 2019, because it can inspect packets, hijack downloads, and deliver malware across routers and edge devices. The framework also reaches PCs, mobile devices, and IoT devices, making the operational impact broader than a single network segment. Its credential-harvesting and traffic-manipulation functions increase the risk of account theft, malicious redirects, and payload delivery. The activity matters because it shows a persistent, modular toolset built for in-line interception and malware staging.

Related Happenings

UAT-7810 expands LapDogs ORB network to provide covert routing infrastructure

Threat Actor Meta
H score29 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **UAT-7810** expanded its **LapDogs ORB network**, adding covert routing capacity that helps other hackers hide traffic origin and reach **high-value targets**. The infrastructure...

UAT-7810 malware toolkit expansion with LONGLEASH, DOGLEASH, and JARLEASH

Malware Activity
H score27 First: 08.07.2026 17:30 Last: 08.07.2026 17:30 Sources 1

About this happening: **Chinese threat actor UAT-7810** is **actively refining** its bespoke malware to expand the **LapDogs ORB network** by breaking into **internet-facing networking devices**. The a...

UAT-7810 Operational Relay Box network-building campaign

Campaign
H score39 First: 08.07.2026 12:04 Last: 08.07.2026 12:04 Sources 1

About this happening: An **ongoing UAT-7810 campaign** is expanding **Operational Relay Box (ORB) networks** by breaking into **internet-facing networking devices**, increasing relay capacity for downs...

CloudZ RAT Pheno Microsoft Phone Link credential-theft activity

Malware Activity
H score24 First: 05.05.2026 13:03 Last: 05.05.2026 13:03 Sources 1

About this happening: The **CloudZ RAT** is now using the **Pheno** plugin to hijack **Microsoft Phone Link** sessions and steal **SMS-based OTPs** and other sensitive codes, increasing the risk of acc...

China-nexus threat-Flax Typhoon-Volt Typhoon alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score33 First: 23.04.2026 23:52 Last: 23.04.2026 23:52 Sources 1

About this happening: **China-nexus** threat actors are industrializing covert botnet infrastructure, expanding **deniable reconnaissance**, **malware delivery**, and **data exfiltration** against **US...

Timeline

  1. 06.02.2026 16:56 1 articles · 5mo ago

    DKnife Linux AitM malware activity targeting routers and edge devices

    Initial Disclosure

    The earliest visible phase is a **router- and edge-device foothold** built around **Linux implants** that support **packet inspection** and **traffic manipulation**. From that base, the operators can begin **credential harvesting** and **download hijacking** against Chinese-language targets.

    Show sources