China-Linked DKnife Threat Underscores Risks to Network Edge Devices   Despite adversaries increasing their focus on the network edge, recent findings suggest a sustained and deliberate effort to weaponize routing infrastructure itself for surveillance and delivery purposes. An attacker can observe, modify, and selectively redirect data streams in transit by embedding malicious logic directly into traffic paths rather than relying on endpoint compromise.  This evolution is reflected in the development of the DKnife framework, which has transformed attacker-in-the-middle capabilities into modular, long-lived platforms that are designed to be persistent, stealthy, and operationally flexible.  Through the framework's ability to operate at a level where legitimate traffic aggregation and inspection already take place, the line between benign network functionality and hostile control is blurred, enabling malware deployment and long-term monitoring across a variety of device classes and user environments targeted at targeted users.  According to cybersecurity researchers, DKnife is an adversary-in-the-middle framework that has operated from at least 2019 to maintain router-centric infrastructure by threat actors who have been found to be linked to China.  In order to enable deep packet inspection, selective traffic manipulation, and covert delivery of malicious payloads, seven Linux-based implants are installed on gateways and edge devices. Several code artifacts and telemetry indicate a clear focus on Chinese-speaking users, including credential-harvesting components tailored specifically for Chinese email services, data exfiltration modules specifically targeted at popular mobile applications, and hard-coded references to domestic media domains buried within the implants.  It is argued that DKnife's potential strategic value lies in its ability to act as a conduit between legitimate update and download channels and users. As the framework intercepts binary transfers and mobile application updates in transit, it is possible to deploy and manage established backdoors across a broad range of endpoints ranging from desktop systems to mobile devices to Internet of Things environments, including ShadowPad and DarkNimbus.  According to Cisco Talos, the activity has been associated with the ongoing tracking of a Chinese threat cluster dubbed Earth Minotaur, previously associated with exploit kits like MOONSHINE as well as backdoors like DarkNimbus. The reuse of DarkNimbus is noteworthy, as the malware has also been found in operations attributed to another Chinese advanced persistent threat group, The Wizards, indicating the possibility of sharing tools or infrastructure among these groups.  Upon further analysis of the infrastructure, it was revealed that DKnife-associated resources overlapped with those connected to WizardNet, a Windows implant deployed by TheWizards through an AitM framework called Spellbinder, which was publicized in 2025. This led to additional connections between DKnife-associated systems and WizardNet resources.  As Cisco cautions, current insights into DKnife's targeting may be incomplete due to the fact that the configuration data obtained from a single command-and-control server provide limited information about its target market of Chinese-speaking users. It is possible that parallel servers exist to support operations in other regions as well.  Due to The Wizards' history of targeting individuals and gambling-related entities across Southeast Asia, Greater China, and the Middle East, the convergence of infrastructure and tactics is significant, highlighting the wider implications of DKnife as a traffic hijacking platform with reusable, regionally adaptable features.  Although researchers have not determined the exact vector used to compromise network equipment, researchers have established that DKnife functions to deliver and control backdoors known as ShadowPad and DarkNimbus, both of which have been used by Chinese-allied threat actors for decades. A technical analysis reveals that there are seven discrete modules in the framework.  Each module is designed to support a particular operational role, such as traffic inspection, manipulation, and control-and-control messages, as well as origin obfuscation. In addition to packet inspection and attack logic, the system includes relay services to facilitate communication with remote C2 servers as well as a customized reverse proxy derived from HAProxy to mask and manage malicious traffic flows.  Additionally, DKnife extends its capabilities beyond passive monitoring with additional modules. An attacker is able to establish a virtual Ethernet TAP interface on the compromised router and connect it directly to the local network, effectively placing themselves in the data path of internal communications. In addition, there are third parties who provide peer-to-peer VPN connectivity using modified n2n software, coordinate the download and update of malicious Android applications, and manage the deployment of the DKnife implants themselves.  Together, these elements provide a range of tools for a wide range of activities, including DNS hijacking, intercepting legitimate binary and application updates, selectively disrupting security-related traffic, and exfiltrating detailed user activity to external command infrastructures. In addition to intercepting and rewriting packets destined for their original hosts once activated on a device, DKnife also uses its network-bridging capabilities to substitute malicious payloads during transit transparently.  Through this technique, weaponized APK files can be delivered to Android devices as well as compromised binaries to Windows systems connected to the affected network using this technique. Research conducted by Cisco Talos demonstrated instances in which the framework first installed ShadowPad backdoors for Windows, signed by Chinese certificates, followed by the installation of DarkNimbus backdoors to establish long-term access.  Unlike secondary droppers, DarkNimbus was delivered directly to Android environments through the manipulated update channel. It was further revealed by investigators that infrastructure was associated with a framework hosting the WizardNet backdoor, a Windows implant previously associated with Spellbinder AitM. This confirmed the link between DKnife and previously documented adversary-in-the-middle attacks.  Incorporating these tools within the same operational environment implies that development resources will likely be shared or infrastructure will be coordinated. As a result, threat actors are becoming increasingly sophisticated in their use of compromised network devices as covert malware distribution channels as opposed to utilizing endpoints to spread malware.  The Cisco Talos team further concluded that DKnife is capable of intercepting Windows binary downloads in addition to mobile ecosystems. As observed, the framework was capable of manipulating download URLs in transit, either substituting legitimate installers for trojanized counterparts or redirecting users to malicious distribution points controlled by the attackers.  In combination with its DNS manipulation capabilities and control over application update channels, DKnife provides an extensive traffic-hijacking platform that can silently deliver malware while maintaining the appearance of normal network behavior. The framework's components work together to create a continuous attack system at the network gateway that functions in conjunction with each other. Moreover, DKnife offers a broad range of secondary functionality in addition to payload delivery, such as credential harvesting through decrypted POP3 and IMAP sessions, hosting phishing pages, selectively disrupting antivirus and security product traffic, and detailed user activity monitoring.  Several applications and services were observed to collect telemetry, including messaging platforms, navigation tools, news consumption, telephony, ridesharing, and online shopping, by researchers. In particular, WeChat was observed to receive significant attention, with the framework tracking voice and video calls, message content, media exchanges, and articles accessed through the application. The placement of DKnife on gateway devices permits near real-time visibility into user behavior.  Activity events are processed internally across the framework's modular components first before being exfiltrated via structured HTTP POST requests to dedicated API endpoints and then forwarded to remote command-and-control infrastructure.  A significant reduction in the need for persistent malware on individual endpoints is achieved through this architecture, which allows attackers to correlate traffic flows and user actions as packets traverse the network. Researchers note that this approach reflects a greater trend towards infrastructure-level compromise, which is the use of routers and edge devices as persistent delivery platforms for malware.  According to Cisco Talos, DKnife-associated command-and-control servers remain active as of January 2026, highlighting the continued nature of this threat. An exhaustive set of indicators of compromise has been developed by the firm to assist defenders in identifying compromised systems, as well as emphasizing the need to pay increased attention to network infrastructure as adversaries continue to utilize its unique position within modern digital environments to their advantage.

China-Linked DKnife Threat Underscores Risks to Network Edge Devices #AdversaryInTheMiddle #ChinaLinkedAPT #DarkNimbus

Zoom Stealer Extensions Harvest Meetings
Read More: buff.ly/U1mv1R1

#ZoomStealer #MaliciousExtensions #BrowserSecurity #CredentialHarvesting #ChinaLinkedAPT #DarkSpectre #ThreatResearch #AccountSecurity

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign   Security researchers at Kaspersky have uncovered a sophisticated cyber-espionage operation attributed to the China-linked advanced persistent threat (APT) group known as Evasive Panda, also tracked as Daggerfly, Bronze Highland, and StormBamboo. The campaign leveraged DNS poisoning techniques to distribute the MgBot backdoor, targeting select victims across Türkiye, China, and India. Active for over a decade, Evasive Panda is widely recognized for developing and deploying the custom MgBot malware framework. In 2023, Symantec previously linked the group to an intrusion at an African telecommunications provider, where new MgBot plugins were observed—demonstrating the group’s continued refinement of its cyber-espionage toolkit. According to Kaspersky, the latest campaign was highly selective in nature and operated for nearly two years, beginning in November 2022 and continuing through November 2024. The attackers employed adversary-in-the-middle (AiTM) techniques, delivering encrypted malware components through manipulated DNS responses. Each target received a tailored implant designed to evade detection. The MgBot backdoor was injected directly into legitimate processes in memory, frequently using DLL sideloading, allowing the malware to remain concealed for extended periods. Initial compromise was achieved through fake software updates masquerading as legitimate applications. In one observed case, threat actors distributed a malicious executable posing as a SohuVA update, likely delivered through DNS poisoning that redirected update requests to infrastructure under attacker control. “The malicious package, named sohuva_update_10.2.29.1-lup-s-tp.exe, clearly impersonates a real SohuVA update to deliver malware from the following resource” “There is a possibility that the attackers used a DNS poisoning attack to alter the DNS response of p2p.hd.sohu.com[.]cn to an attacker-controlled server’s IP address, while the genuine update module of the SohuVA application tries to update its binaries located in appdata\roaming\shapp\7.0.18.0\package.” Beyond SohuVA, similar trojanized updaters were observed targeting widely used applications such as iQIYI Video, IObit Smart Defrag, and Tencent QQ, often launched by legitimate system services to reinforce trust and avoid suspicion. The initial malware loader, written in C++ and built using the Windows Template Library, was disguised as a harmless sample project. Once executed, it decrypted and decompressed its configuration data, revealing installation directories, command-and-control domains, and encrypted MgBot parameters. The malware dynamically altered its behavior based on the active user context, decrypted strings only at runtime, and used XOR and LZMA obfuscation to hinder analysis. Ultimately, it executed shellcode directly in memory after modifying memory permissions, enabling covert deployment without leaving obvious forensic traces. The infection chain followed a multi-stage execution model. The first-stage loader launched shellcode that concealed API usage by resolving Windows functions via hashing. This shellcode searched for a specific DAT file within the installation directory. If found, the file was decrypted using Windows CryptUnprotectData, ensuring it could only be accessed on the infected system, before being deleted to erase evidence. If the DAT file was absent, the shellcode retrieved the next stage from the internet. Through DNS poisoning, victims were redirected to attacker-controlled servers while believing they were accessing legitimate domains such as dictionary.com. System details, including the Windows version, were transmitted via HTTP headers, allowing attackers to tailor payloads accordingly. The downloaded data was decrypted using XOR, memory permissions were altered, and the payload was executed. The malware later re-encrypted the payload and stored it in a newly created DAT file, often unique to each victim. Researchers also identified a secondary loader named libpython2.4.dll, which masqueraded as a legitimate Windows library. This component was loaded through a signed executable, evteng.exe—an outdated Python binary—to further mask malicious activity. The loader recorded its file path in status.dat, likely to support future updates, and decrypted additional payloads from perf.dat, which were also delivered via DNS poisoning. Throughout this process, the attackers repeatedly renamed and relocated the payloads, decrypting them with XOR and re-encrypting them using a customized combination of DPAPI and RC5, effectively binding the malware to the infected host and complicating analysis. Kaspersky telemetry indicates confirmed victims in Türkiye, China, and India, with some systems remaining compromised for more than a year. The prolonged duration of the operation highlights the attackers’ persistence, operational maturity, and access to substantial resources. The observed tactics, techniques, and procedures (TTPs) strongly align with previous Evasive Panda operations. While a new loader was introduced, the attackers continued to rely on the long-established MgBot implant, albeit with updated configuration elements. As seen in earlier campaigns, Evasive Panda favored stealthy propagation methods such as supply-chain compromise, adversary-in-the-middle attacks, and watering-hole techniques to avoid detection. “The Evasive Panda threat actor has once again showcased its advanced capabilities, evading security measures with new techniques and tools while maintaining long-term persistence in targeted systems.” “Our investigation suggests that the attackers are continually improving their tactics, and it is likely that other ongoing campaigns exist. The introduction of new loaders may precede further updates to their arsenal.”

Evasive Panda Uses DNS Poisoning to Deploy MgBot Backdoor in Long-Running Espionage Campaign #ChinalinkedAPT #CyberAttacks #CyberEspionageCampaign