Past replace hijacking, the framework helps DNS manipulation, binary alternative, and selective site visitors forwarding, giving attackers management over how particular requests are dealt with.
Indicators level to China-Nexus growth and concentrating on
A number of elements of DKnife’s design and operation urged ties to China-aligned menace actors. Talos recognized configuration information and code feedback written in Simplified Chinese language, in addition to dealing with logic tailor-made for Chinese language-language e mail suppliers and cellular purposes.
The framework was additionally discovered to allow credential assortment from companies used inside China, indicating particular concentrating on. Talos confirmed linking DKnife’s operations to the supply of malware households beforehand related to China-nexus exercise, additional reinforcing attribution.
“Primarily based on the language used within the code, configuration information, and the ShadowPad malware delivered within the marketing campaign, we assess with excessive confidence that China-nexus menace actors function this instrument,” the researchers stated with out naming any particular menace group.
Shared lineage and detection sabotage
Talos investigation additionally revealed technical overlaps between DKnife and earlier AitM frameworks utilized in previous campaigns.
“We found a hyperlink between DKnife and a marketing campaign delivering WizardNet, a modular backdoor identified to be delivered by a special AiTM framework, Spellbinder, suggesting a shared growth or operational lineage,” the researchers stated.
