China-Linked Hackers Exploit Linux Devices to Manipulate Traffic and Deploy Malware
A sophisticated cyber threat, known as DKnife, has recently been identified, posing a significant risk to network security. This malicious framework is attributed to threat actors with connections to China and specifically targets Linux-based routers and edge devices. By compromising these critical network gateways, attackers can establish a persistent presence within a target’s infrastructure, enabling them to monitor data flow and manipulate network traffic with high precision.
DKnife functions as a comprehensive Adversary-in-the-Middle (AitM) framework, designed to inspect network packets in real-time. Active since at least 2019, it has largely evaded detection until recently. The framework comprises multiple components that collaborate to hijack legitimate user requests, such as software updates, and replace them with malicious content. This tactic allows attackers to install backdoors on devices connected to the compromised network without the user’s knowledge.
Analysts at Cisco Talos discovered the DKnife malware while investigating the distribution of the DarkNimbus backdoor. Their analysis revealed that DKnife is not merely a passive monitoring tool but an active attack platform. It can intercept traffic destined for specific services, particularly those popular among Chinese-speaking users, and inject malicious payloads. This discovery underscores the evolving tactics of threat actors who are increasingly shifting their operations to edge devices to evade traditional endpoint security measures.
The ramifications of a DKnife infection are extensive. Once a router is compromised, every device connected to it becomes a potential target. The malware can selectively disrupt traffic from antivirus products, preventing them from updating or communicating with their servers. Additionally, it can harvest sensitive user data, including credentials and device identifiers, effectively transforming the network gateway into a comprehensive espionage tool.
The Mechanics of Traffic Hijacking and Malware Delivery
At the core of DKnife’s offensive capabilities is its ability to seamlessly hijack binary downloads. The framework employs a sophisticated deep packet inspection (DPI) engine that continuously monitors network traffic for specific types of requests, such as Android application updates or Windows executable downloads. When a matching request is detected, the malware intervenes before the request reaches the legitimate server.
This process involves several distinct steps. The compromised gateway intercepts the initial update manifest request and checks it against a local configuration file. If a match is found, DKnife sends a forged response back to the victim’s device. This response redirects the download to a malicious URL hosted on a virtual internal network created by the malware itself.
This internal network is managed by a component called `yitiji.bin`, which creates a bridged interface to route the attacker’s traffic. By keeping the malicious delivery within this virtual local area network, the attackers avoid IP address conflicts and reduce the risk of detection by external network monitoring tools.
This stealthy mechanism ensures that the victim believes they are downloading a legitimate update, while in reality, they are installing backdoors like ShadowPad or DarkNimbus, effectively granting the attackers full control over the endpoint device.
Broader Implications and Related Threats
The emergence of DKnife is part of a broader trend of sophisticated cyberattacks targeting Linux-based systems. For instance, in October 2025, Chinese hackers were reported to be actively targeting Linux devices with a sophisticated SSH backdoor dubbed ELF/Sshdinjector.A!tr. This malware, attributed to the DaggerFly espionage group, has been used in the Lunar Peek campaign since mid-November 2024, primarily targeting network appliances and IoT devices.
Similarly, in February 2026, a Chinese threat group identified as Houken exploited multiple zero-day vulnerabilities in Ivanti Cloud Service Appliance (CSA) devices to deploy advanced Linux rootkits and establish persistent access to critical infrastructure networks. The campaign, which began in September 2024, successfully compromised organizations across governmental, telecommunications, media, finance, and transport sectors in France and beyond.
These incidents highlight a growing focus on Linux-based systems by threat actors, particularly those linked to China. The use of sophisticated tools like DKnife, ELF/Sshdinjector.A!tr, and advanced rootkits indicates a strategic shift towards targeting network infrastructure to gain long-term access and control over critical systems.
Mitigation Strategies
Given the increasing sophistication of these attacks, organizations must adopt comprehensive security measures to protect their network infrastructure. Regularly updating and patching systems, implementing robust access controls, and monitoring network traffic for unusual activity are essential steps. Additionally, organizations should consider deploying advanced threat detection systems capable of identifying and mitigating complex threats like DKnife.
Collaboration between cybersecurity researchers, industry stakeholders, and government agencies is also crucial in sharing threat intelligence and developing effective countermeasures against these evolving threats.
Conclusion
The discovery of DKnife underscores the evolving tactics of threat actors targeting Linux-based devices. By compromising network gateways, attackers can manipulate traffic, deploy malware, and establish persistent access to critical systems. Organizations must remain vigilant and implement robust security measures to defend against these sophisticated threats.
