"Dubbed DKnife, the framework consists of seven Linux-based implants designed for deep packet inspection, traffic manipulation, and malware delivery, and has been active since at least 2019. The framework mainly targets Chinese-speaking users, delivering and interacting with backdoors such as ShadowPad and DarkNimbus on desktop, mobile, and IoT devices. DarkNimbus, also known as DarkNights, is supplied by the Chinese firm UPSEC, which was previously associated with the Chinese APT TheWizards, the operator of the Spellbinder AitM framework."
"DKnife was built to monitor and manipulate network traffic and to interact with backdoors running on victims' systems. It can update the backdoors, hijack DNS traffic, hijack Android application updates and downloads, and exfiltrate user activity to the C&C. It can also hijack Windows and other binary downloads, deploy the ShadowPad and DarkNimbus backdoors, intercept and disrupt traffic associated with antivirus and PC-management products, and monitor and report on the user's network activity."
DKnife is a China-linked gateway-monitoring and adversary-in-the-middle framework active since at least 2019, built from seven Linux-based implants for deep packet inspection, traffic manipulation, and malware delivery. The framework targets Chinese-speaking users and delivers backdoors across desktop, mobile, and IoT devices, including ShadowPad, DarkNimbus, and WizardNet. DarkNimbus is supplied by UPSEC, which has ties to TheWizards/Spellbinder tooling. Available configuration files come from a single command-and-control server, allowing the possibility of different servers targeting other geographies. Capabilities include updating and deploying backdoors, hijacking DNS and application updates, intercepting antivirus and management traffic, and exfiltrating user activity.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]