Indicators point to China-Nexus development and targeting: Several aspects of DKnife’s design and operation suggested ties to China-aligned threat actors. Talos identified configuration data and code comments written in Simplified Chinese, as well as handling logic tailored for Chinese-language email providers and mobile applications.The framework was also found to enable credential collection from services used within China, indicating specific targeting. Talos confirmed linking DKnife’s operations to the delivery of malware families previously associated with China-nexus activity, further reinforcing attribution.”Based on the language used in the code, configuration files, and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool,” the researchers said without naming any specific threat group. Shared lineage and detection sabotage: Talos investigation also revealed technical overlaps between DKnife and earlier AitM frameworks used in past campaigns.”We discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework, Spellbinder, suggesting a shared development or operational lineage,” the researchers said.Talos said DKnife includes a traffic inspection module that actively interferes with antivirus and PC-management communications. The module identifies 360 Total Security traffic by inspecting specific HTTP headers, such as DPUname and x-360-ver, and by matching known service domains. When a match is detected, the framework disrupts the connection using crafted TCP reset packets. Similar behavior targeting Tencent services and other PC management endpoints was also observed, indicating deliberate efforts to weaken security tooling. To strengthen detection, Talos shared a list of indicators of compromise (IoCs), including file hashes, network artifacts, and command and control (c2) infrastructure associated with DKnife. Additionally, the disclosure shared a set of ClamAV signatures for detecting and blocking the threat.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4129383/dknife-targets-network-gateways-in-long-running-aitm-campaign.html
