Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered “DKnife,” an advanced China-linked adversary-in-the-middle (AitM) framework active since at least 2019, which uses modular Linux implants to hijack and manipulate traffic at the gateway level, exfiltrate sensitive user data, and deliver malware—including ShadowPad and DarkNimbus—primarily targeting Chinese-speaking users via routers and edge devices.