Cisco Talos researchers uncovered a stealthy China-linked adversary-in-the-middle (AitM) framework dubbed DKnife, which has been hijacking network gateways since at least 2019. This tool intercepts and manipulates traffic at the network edge, allowing attackers to spy on or alter data in transit without touching endpoints. Active into early 2026, DKnife has targeted over 50 organizations, primarily in Asia and Europe, focusing on government and critical infrastructure sectors.
For network engineers, this revelation underscores a shift in attack vectors: instead of endpoint vulnerabilities, adversaries are exploiting gateways like routers and firewalls. In one documented case, DKnife enabled traffic redirection to malicious servers, facilitating data exfiltration without detection for months. IT pros must now prioritize edge security, as traditional endpoint defenses fall short against such network-level intrusions. Business leaders face escalating risks, with potential losses from compromised communications estimated at $500,000 per incident based on similar AitM campaigns.
This long-running operation highlights how state-backed groups are evolving tactics to evade modern defenses. By embedding at gateways, DKnife provides operators with real-time visibility into traffic flows, enabling precise manipulation.
How DKnife Operates at the Network Edge
DKnife deploys via compromised routers, often through unpatched vulnerabilities in devices from major vendors. Once installed, it acts as a man-in-the-middle, decrypting TLS sessions and injecting payloads. Cisco Talos noted its use in campaigns linked to Chinese actors, similar to those in the China-linked DKnife AitM framework analysis.
Key technical features include:
- Traffic Interception: Captures HTTP/S packets, allowing modification of requests or responses.
- Modular Design: Supports plugins for malware delivery, credential theft, and reconnaissance.
- Stealth Mechanisms: Uses encrypted C2 channels to avoid IDS/IPS detection.
Engineers can detect it by monitoring anomalous gateway behavior, such as unexpected TLS certificate mismatches.
Targets and Tactics in the AitM Campaign
The campaign primarily hits network gateways in telecom, finance, and government entities. Talos reported over 70 breaches tied to similar Asian state-backed groups, as detailed in this report on TGR-STA-1030 breaches. DKnife’s longevity—spanning seven years—stems from its low-and-slow approach, blending into legitimate traffic.
Tactics evolve with tech trends:
- Gateway Exploitation: Leverages zero-days in edge devices for initial access.
- Data Manipulation: Alters in-transit emails or API calls to insert backdoors.
- Persistence: Survives reboots via firmware modifications.
This mirrors botnet threats like the Kimwolf botnet stalking local networks, emphasizing layered defenses.
Impact on Critical Infrastructure
DKnife’s focus on infrastructure gateways poses risks to sectors like energy and transportation. In a simulated attack, researchers found it could disrupt SCADA systems by tampering with control packets, potentially causing outages affecting thousands.
Mitigation strategies for IT teams:
- Firmware Hardening: Regular updates and integrity checks on routers.
- Network Segmentation: Isolate gateways with microsegmentation.
- Advanced Monitoring: Deploy AI-driven tools for anomaly detection.
For deeper insights into related threats, check the ThreatsDay Bulletin on AsyncRAT and AI intrusions.
Evolving Defenses Against AitM Threats
As AitM frameworks like DKnife proliferate, enterprises must integrate threat intelligence from sources such as the Cisco Talos report. Adoption of secure access service edge (SASE) models has surged 150% in response, combining networking and security.
The Bottom Line
DKnife’s enduring campaign reveals the vulnerabilities at network perimeters, impacting professionals by demanding proactive edge protection. Enterprises risk data breaches and operational disruptions if gateways remain soft targets. Network engineers should audit devices immediately, implementing zero-trust principles to counter AitM tactics.
Business leaders: Invest in gateway-specific security tools to safeguard against these sophisticated threats. Looking ahead, as 5G and IoT expand network edges, expect more AitM innovations—staying vigilant with continuous monitoring will be key to resilience.