The central hubs of our online lives, internet routers and edge devices, have become the primary targets of a long-running spying operation. Researchers at Cisco Talos recently shared details about a toolkit named DKnife that has been compromising these gateway devices since at least 2019. By embedding itself into the hardware that connects internal networks to the wider web, this malware can watch, record, and even change the data passing through every connected phone and computer.
According to Cisco Talos’ security researchers, the campaign is remarkably persistent. “The command and control are still active as of January 2026,” they noted, indicating that threat actors are still actively managing their network of compromised devices.
A Digital Hijacker in the Middle
Most of us assume that app updates are safe. DKnife turns that trust against users through an Adversary-in-the-Middle (AitM) attack. For your information, this method allows malware on an edge device to intercept legitimate update requests and swap them for viruses in an instant.
Further probing revealed the toolkit uses seven specialised implants working in unison:
dknife.bin– The main engine that reads the content of your data as it flows past.postapi.bin– A reporter that relays stolen data and events back to the attackers.mmdown.bin– An updater specifically for refreshing malicious Android files.sslmm.bin– A reverse proxy that decrypts secure connections to steal email passwords.yitiji.bin– Named after the Chinese term for “all-in-one,” it creates a hidden network on the router to route malicious traffic without triggering alarms.remote.bin– A component that sets up a private VPN for remote attacker access.dkupdate.bin– A watchdog module that keeps all parts running and updated.
Simply put: DKnife operates at the router and edge device level, but it explicitly targets both Android and Windows endpoints behind those gateways.
Silent Monitoring and Disruption
It is worth noting that DKnife is more than a delivery system; it is an incredibly effective eavesdropper. Researchers found it can track activities on apps like WeChat and Signal, including video calls and messaging. To stay hidden, it even identifies traffic from security programmes like 360 Total Security or Tencent PC Manager and “drops” their connections, preventing them from updating defences or alerting the user.
Who is Behind It?
While the primary targets are Chinese-speaking users, the danger has spread. “The evidence suggests a well-integrated and evolving toolchain,” researchers stated in the blog post, noting links to the WizardNet backdoor and Spellbinder framework used in the Philippines, Cambodia, and the UAE.
The toolkit also delivers ShadowPad and DarkNimbus backdoors, sometimes using certificates from companies like Sichuan Qiyu Network Technology. Because the code is filled with Simplified Chinese comments, experts assess with high confidence that the operators are China-nexus threat actors.
Because this happens at the router level, any device, from a PC to a smart fridge, is at risk if it connects to a compromised gateway. To stay safe, ensure your router’s firmware is up to date and disable Remote Management in its settings to close the most common door these attackers use to get in.
Deeba Ahmed
