Active since at least 2019, the China-linked framework operates at network gateways to inspect and manipulate in-transit traffic, allowing attackers to redirect updates, disrupt security tooling, and deliver backdoors.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

Cisco Talos discovered DKnife, a China-linked adversary-in-the-middle framework active since 2019 that operates at network gateways to intercept and manipulate traffic. The modular Linux-based system performs deep packet inspection, hijacks software updates to deliver backdoors like ShadowPad and DarkNimbus, and actively disrupts security tools like 360 Total Security. The framework consists of seven components that enable DNS manipulation, credential theft, and binary replacement without directly compromising endpoints.

DKnife targets network gateways in long running AitM campaign