This Malware Has Been Hiding in Routers Since 2019 to Hijack Your Traffic

Seven Years of Stealth Operations

Cisco Talos researchers have disclosed a sophisticated malware framework called DKnife that has been operating undetected since at least 2019. The toolkit specifically targets Linux based routers, firewalls, and edge devices to intercept network traffic, harvest credentials, and deliver additional malware to endpoints behind the compromised devices.

The framework is designed for long term persistence with minimal footprint on host systems. By operating at the network edge rather than on individual computers, DKnife can monitor and manipulate traffic for entire organizations while remaining invisible to endpoint security tools.

How DKnife Works

DKnife consists of seven Linux based components that work together to create a comprehensive adversary in the middle platform:

• Deep packet inspection: Monitors all network traffic passing through the device
• DNS hijacking: Redirects IPv4 and IPv6 DNS requests to malicious servers
• TLS termination: Intercepts encrypted connections to harvest usernames and passwords
• Binary hijacking: Replaces legitimate software downloads with malware payloads
• Android app interception: Modifies mobile application update manifests to deliver malicious versions

The framework specifically targets systems running CentOS or Red Hat Enterprise Linux and includes support for PPPoE connections, VLAN tagging, and bridged network interfaces commonly found in enterprise deployments.

Credential Theft and Backdoor Delivery

One of DKnife's most dangerous capabilities is its ability to harvest credentials from email services by performing TLS termination on encrypted traffic. Researchers noted that the framework can extract login credentials from users of major email providers, all without triggering any alerts on the user's device.

The toolkit also delivers two known backdoors to compromised networks:

• ShadowPad: A modular backdoor previously attributed to Chinese state sponsored groups
• DarkNimbus: A cross platform implant targeting both Windows and Android devices

These backdoors are delivered by hijacking software updates for popular applications. When a user behind a compromised router downloads an update, DKnife intercepts the request and substitutes a malicious payload.

Attribution to Chinese Threat Actors

Talos researchers assess with high confidence that DKnife is operated by a China nexus threat actor. The framework contains Simplified Chinese language artifacts in component names and code comments. It explicitly targets Chinese services including email providers, mobile apps, media platforms, and WeChat users.

The campaign shares infrastructure with the Earth Minotaur threat cluster and TheWizards APT group, both of which have been previously linked to Chinese espionage operations. Victims have been identified across Cambodia, Hong Kong, Mainland China, the Philippines, and the United Arab Emirates.

C2 Servers Still Active

As of February 2026, the DKnife command and control servers remain active. This means the operators continue to have access to compromised networks and can deploy new payloads or exfiltrate data at any time.

The disclosure highlights the ongoing threat posed by edge device compromises. Unlike endpoint malware that can be detected by antivirus software, router level implants are extremely difficult to discover and remove. Most organizations lack visibility into their network device firmware and have no way to verify whether edge devices have been tampered with.

Protecting Your Network

CISA recently mandated that federal agencies remove end of life network devices within 12 months, citing persistent cyber campaigns targeting edge infrastructure. For organizations and individuals concerned about router level threats:

• Keep router and firewall firmware updated to the latest version
• Replace any devices that no longer receive security updates
• Monitor for unexpected DNS changes or certificate warnings
• Consider using encrypted DNS services that cannot be intercepted at the router level
• Use end to end encrypted communications for sensitive data

The DKnife disclosure is a reminder that security must extend beyond endpoints. The devices that form the foundation of network connectivity are increasingly becoming targets for sophisticated threat actors.