Beyond update hijacking, the framework supports DNS manipulation, binary replacement, and selective traffic forwarding, giving attackers control over how specific requests are handled.
Indicators point to China-Nexus development and targeting
Several aspects of DKnife’s design and operation suggested ties to China-aligned threat actors. Talos identified configuration data and code comments written in Simplified Chinese, as well as handling logic tailored for Chinese-language email providers and mobile applications.
The framework was also found to enable credential collection from services used within China, indicating specific targeting. Talos confirmed linking DKnife’s operations to the delivery of malware families previously associated with China-nexus activity, further reinforcing attribution.
“Based on the language used in the code, configuration files, and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” the researchers said without naming any specific threat group.
Shared lineage and detection sabotage
Talos investigation also revealed technical overlaps between DKnife and earlier AitM frameworks used in past campaigns.
“We discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework, Spellbinder, suggesting a shared development or operational lineage,” the researchers said.
