A malware framework that remained hidden for years has been discovered by security researchers at Cisco Talos.

The researchers were hunting for samples of DarkNimbus, a backdoor linked to the MOONSHINE exploit kit which have both been known about since 2023, , when they found a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework they had never seen before.

Cisco Talos researchers have shared technical details about this framework, which they dubbed DKnife, in a new report published on February 5.

Used since at least 2019 and still active in January 2026, DKnife targets Chinese-speaking users and the Talos researchers assessed “with high confidence” that it was made by Chinese-nexus threat actors.

This assessment is based on “the language used in the code, configuration files and the ShadowPad malware delivered in the campaign.

The researchers also discovered overlaps in DKnife’s infrastructure and a campaign delivering WizardNet , a modular backdoor known to be delivered by Spellbinder, a different AiTM framework, suggesting a shared development or operational lineage.

DKnife Capabilities Explained

DKnife is a Linux-based (x86-64) framework designed for gateway-level attacks, enabling operators to monitor, manipulate and hijack network traffic on compromised routers or edge devices.

It is made up of seven executable and linkable format (ELF) binaries that operate together to carry out deep packet inspection (DPI), traffic interception and malicious payload delivery.