What Is DKnife?
DKnife is an ELF‑based toolkit discovered in 2019 that operates at the edge‑device level to intercept and manipulate network traffic. It consists of seven Linux components that provide deep packet inspection (DPI), traffic manipulation, credential harvesting, and malware delivery capabilities.
Key Capabilities
- Deep packet inspection and real‑time traffic analysis.
- Manipulation of packets to inject malicious APKs or Windows payloads.
- Credential harvesting from intercepted communications.
- Targeted delivery of malware to mobile devices and Windows systems.
- Monitoring of WeChat voice/video calls, text messages, images, and articles.
Targeted Services and Languages
The toolkit contains Simplified Chinese artifacts in component names and code comments and explicitly focuses on Chinese services such as email providers, mobile apps, media domains, and the WeChat platform.
Attribution
Researchers at Cisco Talos assess with high confidence that DKnife is operated by a China‑nexus threat actor, leveraging gateway devices to monitor user activity and exfiltrate data in real time.
Mitigation and Detection
Organizations can reduce the risk of DKnife infections by:
- Deploying network‑level intrusion detection systems that flag unknown DPI tools.
- Monitoring for unusual traffic patterns at edge devices and gateways.
- Implementing strict application whitelisting on mobile and Windows endpoints.
- Regularly updating firmware and security patches on routers and IoT devices.
Automation and Response
Using security orchestration platforms like Tines, teams can automate the detection and containment of DKnife activity, minimizing manual delays and improving response reliability.