Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
The distributed denial-of-service (DDoS) botnet known as AISURU/Kimwolf has been attributed to a record-setting attack that peaked at 31.4 Terabits per second (Tbps) and lasted only 35 seconds.
Cloudflare, which automatically detected and mitigated the activity, said it's part of a growing number of hyper-volumetric HTTP DDoS attacks mounted by the botnet in the fourth quarter of 2025. The attack took place in November 2025.
AISURU/Kimwolf has also been linked to another DDoS campaign codenamed The Night Before Christmas that commenced on December 19, 2025. Per Cloudflare, the average size of the hyper-volumetric DDoS attacks during the campaign was 3 billion packets per second (Bpps), 4 Tbps, and 54 requests per second (Mrps), with the maximum rates touching 9 Bpps, 24 Tbps, and 205 Mrps.
"DDoS attacks surged by 121% in 2025, reaching an average of 5,376 attacks automatically mitigated every hour," Cloudflare's Omer Yoachimik and Jorge Pacheco said. "In 2025, the total number of DDoS attacks more than doubled to an incredible 47.1 million."
The web infrastructure company noted that it mitigated 34.4 million network-layer DDoS attacks in 2025, compared to 11.4 million in 2024. In Q4 2025 alone, network-layer DDoS attacks accounted for 78% of all DDoS attacks. Put together, the number of DDoS attacks surged by 31% over the previous quarter and 58% over 2024.
In 2025 Q4, hyper-volumetric attacks increased by 40% compared to the previous quarter, witnessing a jump from 1,304 to 1,824. A total of 717 attacks were recorded in Q1 2025. The spike in the number of attacks has been complemented by an uptick in the size of these attacks, growing by over 700% compared to the large attacks seen in late 2024.
AISURU/Kimwolf has ensnared more than 2 million Android devices, most of which are compromised, off-brand Android TVs, into its botnet, often by tunneling through residential proxy networks like IPIDEA. Last month, Google disrupted the proxy network and initiated legal action to take down dozens of domains used to control devices and proxy traffic through them.
It also partnered with Cloudflare to disrupt IPIDEA's domain resolution, impacting their ability to command and control infected devices and market their products.
IPIDEA is assessed to have enrolled devices using at least 600 trojanized Android apps that embedded various proxy software development kits (SDKs), and over 3,000 trojanized Windows binaries posing as OneDriveSync or Windows updates. Furthermore, the Beijing-based company has advertised several VPN and proxy apps that silently turned users' Android devices into proxy exit nodes without their knowledge or consent.
What's more, the operators have been found to run at least a dozen residential proxy businesses that masquerade as legitimate services. Behind the scenes, all these offerings are connected to a centralized infrastructure that's under the control of IPIDEA.
Some of the other noteworthy trends observed by Cloudflare during Q4 2025 are as follows -
Telecommunications, service providers, and carriers emerged as the most attacked sector, followed by information technology, gambling, gaming, and computer software verticals.
China, Hong Kong, Germany, Brazil, the U.S., the U.K., Vietnam, Azerbaijan, India, and Singapore were the most attacked countries.
Bangladesh surpassed Indonesia to become the largest source of DDoS attacks. Other top sources included Ecuador, Indonesia, Argentina, Hong Kong, Ukraine, Vietnam, Taiwan, Singapore, and Peru.
"DDoS attacks are rapidly growing in sophistication and size, surpassing what was previously imaginable," Cloudflare said. "This evolving threat landscape presents a significant challenge for many organizations to keep pace. Organizations currently relying on on-premise mitigation appliances or on-demand scrubbing centers may benefit from re-evaluating their defense strategy."
from The Hacker News https://ift.tt/3DGwy0f
via IFTTT
This week didn’t produce one big headline. It produced many small signals — the kind that quietly shape what attacks will look like next.
Researchers tracked intrusions that start in ordinary places: developer workflows, remote tools, cloud access, identity paths, and even routine user actions. Nothing looked dramatic on the surface. That’s the point. Entry is becoming less visible while impact scales later.
Several findings also show how attackers are industrializing their work — shared infrastructure, repeatable playbooks, rented access, and affiliate-style ecosystems. Operations are no longer isolated campaigns. They run more like services.
This edition pulls those fragments together — short, precise updates that show where techniques are maturing, where exposure is widening, and what patterns are forming behind the noise.
In a sign that the threat actor has moved beyond government targets, the Pakistan-aligned APT36 threat actor has been observed targeting India's startup ecosystem, using ISO files and malicious LNK shortcuts using sensitive, startup-themed lures to deliver Crimson RAT, enabling comprehensive surveillance, data exfiltration, and system reconnaissance. The initial access vector is a spear-phishing email carrying an ISO image. Once executed, the ISO contains a malicious shortcut file and a folder holding three files: a decoy document, a batch script that acts as the persistence mechanism, and the final Crimson RAT payload, disguised as an executable named Excel. "Despite this expansion, the campaign remains closely aligned with Transparent Tribe's historical focus on Indian government and defense-adjacent intelligence collection, with overlap suggesting that startup-linked individuals may be targeted for their proximity to government, law enforcement, or security operations," Acronis said.
The threat activity cluster known as ShadowSyndicate has been linked to two additional SSH markers that connect dozens of servers to the same cybercrime operator. These hosts are then used for a wide range of malicious activities by various threat clusters linked to Cl0p, BlackCat, Ryuk, Malsmoke, and Black Basta. A notable finding is that the threat actor tends to transfer servers between their SSH clusters. ShadowSyndicate continues to be associated with toolkits including Cobalt Strike, Metasploit, Havoc, Mythic, Sliver, AsyncRAT, MeshAgent, and Brute Ratel. "The threat actor tends to reuse previously employed infrastructure, sometimes rotating various SSH keys across their servers," Group-IB said. "If such a technique is performed correctly, the infrastructure is transferred subsequently, much like in a legitimate scenario, when a server goes to a new user."
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tweaked 59 actively exploited vulnerability notices in 2025 to reflect their use by ransomware groups. That list includes 16 entries for Microsoft, six for Ivanti, five for Fortinet, three for Palo Alto Networks, and three for Zimbra. "When it flips from 'Unknown' to 'Known,' reassess, especially if you've been deprioritizing that patch because 'it's not ransomware-related yet," GreyNoise's Glenn Thorpe said.
Polish authorities have detained a 60-year-old employee of the country's defense ministry on suspicion of spying for a foreign intelligence agency. The suspect worked in the Ministry of National Defense’s strategy and planning department, including on military modernization projects, officials said. While the name of the country was not revealed, Polish state officials told local media that the suspect had worked with Russian and Belarusian intelligence services. In a related development, Poland's Central Bureau for Combating Cybercrime (CBZC) said a 20-year-old man has been arrested for allegedly conducting distributed denial-of-service (DDoS) attacks on high-profile websites, including those of strategic importance. The individual faces six charges and a potential five-year prison sentence.
Multiple attack vectors have been disclosed in GitHub Codespaces that allow remote code execution simply by opening a malicious repository or pull request. The identified vectors include: (1) .vscode/settings.json with PROMPT_COMMAND injection, (2) .devcontainer/devcontainer.json with postCreateCommand injection, and (3) .vscode/tasks.json with folderOpen auto-run tasks. "By abusing VSCode-integrated configuration files that Codespaces automatically respects, an adversary can execute arbitrary commands, exfiltrate GitHub tokens and secrets, and even abuse hidden APIs to access premium Copilot models," Orca Security researcher Roi Nisimi said. Microsoft has deemed the behavior to be by design.
The financial sector in the Nordics has been targeted by the North Korea-linked Lazarus Group as part of a long-running campaign dubbed Contagious Interview that drops a stealer and downloads a named BeaverTail. "BeaverTail contains functionality that will automatically search the victim's machine for cryptocurrency-related data, but can also be used as a remote access tool for further attacks," TRUESEC said.
In a new analysis, SOCRadar said the pro-Russian hacktivist outfit known as NoName057(16) is using a volunteer-distributed DDoS weapon called DDoSia Project to disrupt government, media, and institutional websites tied to Ukraine and Western political interests. Through active Telegram channels with over 20,000 followers, the group frames the disruptive (but non-destructive) attacks as "self-defense" against Western aggression and provides real-time evidence of successful disruptions. Its ideologically driven campaigns often coincide with major geopolitical events, countering sanctions and military aid announcements with retaliatory cyber attacks. "Unlike traditional botnets that compromise systems without user knowledge, DDoSia operates on a disturbing premise: thousands of willing participants knowingly install the tool and coordinate attacks against targets designated by the group's operators," SOCRadar said. "Through propaganda, gamification, and cryptocurrency rewards, NoName057(16) has built a distributed attack force that requires minimal technical skill to join, yet demonstrates remarkable operational sophistication." According to Censys, targeting of the purpose-built tool is heavily focused on Ukraine, European allies, and NATO states in government, military, transportation, public utilities, financial, and tourism sectors.
A major cybercriminal operation dubbed Rublevka Team specializes in large-scale cryptocurrency theft since its inception in 2023, generating over $10 million through affiliate-driven wallet draining campaigns. "Rublevka Team is an example of a 'traffer team,' composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages," Recorded Future said. "Unlike traditional malware-based approaches such as those used by the trafficker teams Markopolo and Crazy Evil, Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions." Rublevka Team offers affiliates access to fully automated Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. This further lowers the technical barrier to entry, allowing the threat actors to build an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight. Rublevka Team's primary Telegram channel has approximately 7,000 members to date.
Microsoft is urging customers to secure their infrastructure with Transport Layer Security (TLS) version 1.2 for Azure Blob Storage, and remove dependencies on TLS version 1.0 and 1.1. "On February 3, 2026, Azure Blob Storage will stop supporting versions 1.0 and 1.1 of Transport Layer Security (TLS)," Microsoft said. "TLS 1.2 will become the new minimum TLS version. This change impacts all existing and new blob storage accounts, using TLS 1.0 and 1.1 in all clouds. Storage accounts already using TLS 1.2 aren't impacted by this change."
In a new campaign, fake voicemail messages with bank-themed subdomains have been found to direct targets to a convincing "listen to your message" experience that's designed to look routine and trustworthy. In reality, the attack leads to the deployment of Remotely RMM, a legitimate remote access software, that enrolls the victim system into an attacker-controlled environment to enable persistent remote access and management. "The flow relies on social engineering rather than exploits, using lures to persuade users to approve installation steps," Censys said. "The end goal is installation of an RMM (remote monitoring and management) tool, enrolling the device into an attacker-controlled environment."
A long-running malware operation known as SystemBC (aka Coroxy or DroxiDat) has been tied to more than 10,000 infected IP addresses globally, including systems associated with sensitive government infrastructure in Burkina Faso and Vietnam. The highest concentration of infected IP addresses has been observed in the U.S., followed by Germany, France, Singapore, and India, per Silent Push. Known to be active since at least 2019, the malware is commonly used to proxy traffic through compromised systems, to maintain persistent access to internal networks, or deploy additional malware. "SystemBC-associated infrastructure presents a sustained risk due to its role early in intrusion chains and its use across multiple threat actors," Silent Push said. "Proactive monitoring is critical, as activity tied to SystemBC is often a precursor to ransomware deployment and other follow-on abuse."
A new spear-phishing campaign using business-themed lures has been observed luring users into running a Windows screensaver (.SCR) file that discreetly installs a legitimate RMM tool like SimpleHelp, giving attackers interactive remote control. "The delivery chain is built to evade reputation-based defenses by hiding behind trusted services," ReliaQuest said. "This reduces attacker-owned infrastructure and makes takedown and containment slower and less straightforward. SCR files are a reliable initial-access vector because they're executables that don't always receive executable-level controls. When users download and run them from email or cloud links, attackers can trigger code execution while bypassing policies tuned primarily for EXE and MSI files."
Threat actors are abusing a legitimate but revoked Guidance Software (EnCase) kernel driver as part of a bring your own vulnerable driver (BYOVD) attack to elevate privileges and attempt to disarm 59 security tools. In an attack observed earlier this month, attackers leveraged compromised SonicWall SSL-VPN credentials to gain initial access to a victim network and deployed an EDR that abused the driver ("EnPortv.sys") to terminate security processes from kernel mode. "The attack was disrupted before ransomware deployment, but the case highlights a growing trend: threat actors weaponizing signed, legitimate drivers to blind endpoint security," Huntress researchers Anna Pham and Dray Agha said. "The EnCase driver's certificate expired in 2010 and was subsequently revoked, yet Windows still loads it, a gap in Driver Signature Enforcement that attackers continue to exploit."
Security researchers have discovered a coding mistake in Nitrogen ransomware that causes it to encrypt all the files with the wrong public key, irrevocably corrupting them. "This means that even the threat actor is incapable of decrypting them, and that victims that are without viable backups have no ability to recover their ESXi encrypted servers," Coveware said. "Paying a ransom will not assist these victims, as the decryption key/ tool will not work."
An offensive cloud operation targeting an Amazon Web Services (AWS) environment went from initial access to administrative privileges in eight minutes. The speed of the attack notwithstanding, Sysdig said the activity bears hallmarks of large language model (LLM) use to automate reconnaissance, generate malicious code, and make real-time decisions. "The threat actor gained initial access to the victim's AWS account through credentials discovered in public Simple Storage Service (S3) buckets," Sysdig said. "Then, they rapidly escalated privileges through Lambda function code injection, moved laterally across 19 unique AWS principals, abused Amazon Bedrock for LLMjacking, and launched GPU instances for model training."
A phishing scheme has utilized phishing emails themed around procurements and tenders to distribute PDF attachments that initiate a multi-stage attack chain to steal users' Dropbox credentials and send them to a Telegram bot. Once the data is transmitted, it simulates a login process using a 5-second delay and is configured to display an "Invalid email or password" error message. "The malicious chain relies on seemingly legitimate cloud infrastructure, such as Vercel Blob storage, to host a PDF that ultimately redirects victims to a Dropbox-impersonation page designed to harvest credentials," Forcepoint said. "Because Dropbox is a familiar and trusted brand, the request for credentials appeared reasonable to the unsuspecting users. It’s here that the campaign moves from deception to impact."
A critical-rated security flaw in Sandboxie (CVE-2025-64721, CVSS score: 9.9) has been disclosed that, if successfully exploited, could allow sandboxed processes to execute arbitrary code as SYSTEM, fully compromising the host. The problem is rooted in a service named "SboxSvc.exe," which runs with SYSTEM permissions and functions as the "Responsible Adult" between sandboxed processes and the real computer resources. The issue has been addressed in version 1.16.7. "In this case, the reliance on manual C-style pointer arithmetic over a safe interface definition (like IDL) left a gap," depthfirst researcher Mav Levin, who discovered the vulnerability, said. "A single missing integer overflow check, coupled with implicit trust in client-provided message lengths, turned the Responsible Adult into a victim."
Attack surface management platform Censys said it's tracking 57 active AsyncRAT-associated hosts exposed on the public internet as of January 2026. First released in 2019, AsyncRAT enables long-term unauthorized access and post-compromise control, making it a reliable tool for credential theft, lateral movement staging, and follow-on payload delivery. Out of the 57 total assets, the majority are hosted on APIVERSA (13% of hosts), Contabo networks (11% combined), and AS-COLOCROSSING (5.5%), indicating operators prioritize low-cost, abuse-tolerant hosting over major cloud providers. "These hosts are primarily concentrated within a small number of VPS-focused autonomous systems and frequently reuse a distinctive self-signed TLS certificate identifying the service as an 'AsyncRAT Server,' enabling scalable discovery of related infrastructure beyond sample-based detection," Censys said.
An analysis of various campaigns mounted by Chinese hacking groups Violet Typhoon and Volt Typhoon has revealed the use of some common tactics: exploiting zero-day flaws in edge devices, living-off-the-land (LotL) techniques to traverse networks and hide within normal network activity, and Operational Relay Box (ORB) networks to conceal espionage operations. "Not only will Chinese nation-state threat actors almost certainly continue to pursue high-value targets, but it is probable they will scale up their operations to conduct global campaigns and target as many entities in each region or sector as possible to maximize their gains at every exploitation," Intel471 said. "The acceleration of improvements in the cybersecurity posture of numerous key targeted countries has compelled Chinese state-sponsored intelligence forces to become more innovative with their attack strategies."
Threat actors are using a framework named IClickFix that can be used to build ClickFix pages on hacked WordPress sites. According to security firm Sekoia, the framework has been live on more than 3,800 sites since December 2024. "This cluster uses a malicious JavaScript framework injected into compromised WordPress sites to display the ClickFix lure and deliver NetSupport RAT," the French cybersecurity company said. The malware distribution campaign leverages the ClickFix social engineering tactic through a Traffic Distribution System (TDS). It's suspected that the attacker abuses the open-source URL shortener YOURLS as the TDS. In recent months, threat actors have also been found using another TDS called ErrTraffic to inject malicious JavaScript in compromised websites so as to cause them to glitch and then suggest a fix to address the non-existent problem.
Across these updates, the common thread is operational efficiency. Attackers are cutting time between access and impact, removing friction from tooling, and relying more on automation, prebuilt frameworks, and reusable infrastructure. Speed is no longer a byproduct — it’s a design goal.
Another shift sits on the defensive side. Several cases show how security gaps are forming not from unknown threats, but from known behaviors — legacy configurations, trusted integrations, overlooked exposure, and assumptions about how tools should behave.
Taken together, the signals point to a threat environment that is scaling quietly rather than loudly — broader reach, lower visibility, and faster execution cycles. The fragments in this bulletin map that direction.
from The Hacker News https://ift.tt/yITrl0z
via IFTTT
This investigation unveils a new cyberespionage group that Unit 42 tracks as TGR-STA-1030. We refer to the group’s activity as the Shadow Campaigns. We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. This means that approximately one out of every five countries has experienced a critical breach from this group in the past year. Further, between November and December 2025, we observed the group conducting active reconnaissance against government infrastructure associated with 155 countries.
This group primarily targets government ministries and departments. For example, the group has successfully compromised:
Five national-level law enforcement/border control entities
Three ministries of finance and various other government ministries
Departments globally that align with economic, trade, natural resources and diplomatic functions
Given the scale of compromise and the significance of these organizations, we have notified impacted entities and offered them assistance through responsible disclosure protocols.
Here we describe the technical sophistication of the actors, including the phishing and exploitation techniques, tooling and infrastructure used by the group. We provide defensive indicators to include infrastructure that is active at the time of this publication. Further, we explore an in-depth look at victimology by region with the intent of demonstrating the suspected motivations of the group. The results indicate that this group prioritizes efforts against countries that have established or are exploring certain economic partnerships.
Additionally, we have also pre-shared these indicators with industry peers to ensure robust cross-industry defenses against this threat actor.
Palo Alto Networks customers are better protected from the threats described in this article through products and services, including:
Unit 42 first identified TGR-STA-1030 (aka UNC6619) upon investigating a cluster of malicious phishing campaigns (referred to here as the Shadow Campaigns) targeting European governments in early 2025. We use the prefix TGR-STA as a placeholder to denote a temporary group of state-aligned activity while we continue to refine attribution to a specific organization.
Since our initial investigation, we have identified actor infrastructure dating as far back as January 2024, suggesting that the group has been active for at least two years. Over the past year, we have monitored the evolution and expansion of the group as it has compromised:
Five national-level law enforcement/border control entities
Three ministries of finance and various other government ministries
Departments globally that align with economic, trade, natural resources and diplomatic functions
We assess with high confidence that TGR-STA-1030 is a state-aligned group that operates out of Asia. We base this assessment on the following findings:
Frequent use of regional tooling and services
Language setting preferences
Targeting and timing that routinely align with events and intelligence of interest to the region
Upstream connections to operational infrastructure originating from the region
Actor activity routinely aligning with GMT+8
Additionally, we found that one of the attackers uses the handle “JackMa,” which could refer to the billionaire businessman and philanthropist who co-founded Alibaba Group and Yunfeng Capital.
Phishing
In February 2025, Unit 42 investigated a cluster of malicious phishing campaigns targeting European governments. These campaigns followed a pattern of being sent to government email recipients with a lure of a ministry or department reorganization and links to malicious files hosted on mega[.]nz. Figure 1 below shows an example.
Figure 1. Example phishing email (translated).
Clicking on the link downloads an archive file with language and naming that is consistent with the targeted country and ministry.
We assess that an Estonian government entity identified the campaign and uploaded one such ZIP archive to a public malware repository. In this case, the Estonian filename was:
Politsei- ja Piirivalveameti organisatsiooni struktuuri muudatused.zip
This translates to Changes to the organizational structure of the Police and Border Guard Board.zip
Diaoyu Loader
Analyzing the archive, we found that the contents were last modified on Feb. 14, 2025. Further, the archive itself contains an executable file containing an identical name as the ZIP and a zero-byte file named pic1.png.
Reviewing the executable metadata, we found that the file version is presented as 2025,2,13,0, suggesting that the file was likely created one day prior, on Feb. 13. This date also corresponds to the PE compile timestamp.
Additionally, the metadata shows that the file’s original name was DiaoYu.exe. The term Diaoyu translates to fishing, or phishing in a cybersecurity context.
The malware employs a dual-stage execution guardrail to thwart automated sandbox analysis. Beyond the hardware requirement of a horizontal screen resolution greater than or equal to 1440, the sample performs an environmental dependency check for a specific file (pic1.png) in its execution directory.
In this context, pic1.png acts as a file-based integrity check. If the malware sample is submitted to a sandbox in isolation, the absence of this auxiliary file causes the process to terminate gracefully before detonation, effectively masking its malicious behavior. Only upon satisfying these prerequisites does the malware proceed to audit the host for the following cybersecurity products:
Avp.exe (Kaspersky)
SentryEye.exe (Avira)
EPSecurityService.exe (Bitdefender)
SentinelUI.exe (Sentinel One)
NortonSecurity.exe (Symantec)
This narrow selection of products is interesting, and it is unclear why the actor chose to only look for these specific products. While various malware families commonly check for the presence of antivirus products, malware authors typically include a more comprehensive list that encompasses a variety of global providers.
After checking for these products, the malware downloads the following files from GitHub:
It should be noted that the padeqav GitHub project is no longer available.
Finally, the malware performs a series of actions on these files that ultimately result in the installation of a Cobalt Strike payload.
Exploitation
In addition to phishing campaigns, the group often couples exploitation attempts with their reconnaissance activities to gain initial access to target networks. To date, we have not observed the group developing, testing or deploying any zero-day exploits. However, we assess that the group is comfortable testing and deploying a wide range of common tools, exploitation kits and proof-of-concept code for N-day exploits.
For example, over the past year, our Advanced Threat Prevention service has detected and blocked attempts by the group to exploit the following types of vulnerabilities:
SAP Solution Manager privilege escalation vulnerability
Pivotal Spring Data Commons remote file read XXE vulnerability
Microsoft Open Management Infrastructure remote code execution vulnerability
Microsoft Exchange Server remote code execution vulnerability
On one occasion, we observed the actor connecting to e-passport and e-visa services associated with a ministry of foreign affairs. Because the server for these services was configured with Atlassian Crowd software, the actor attempted to exploit CVE-2019-11580, uploading a payload named rce.jar. The code included in the payload was similar to the description of code from another analysis of CVE-2019-11580 provided by Anquanke.
Tooling
We assess that the group relies heavily on a mix of command-and–control (C2) frameworks and tools common to the actors’ region to move laterally and maintain persistent access within compromised environments.
C2 Frameworks
From 2024 through early 2025, we observed the group commonly deploying Cobalt Strike payloads. However, over time the group slowly transitioned to VShell as its tool of choice.
VShell is a Go-based C2 framework. The group often configures its web access on 5-digit ephemeral TCP ports using ordered numbers. In November 2025, NVISO published comprehensive research [PDF] on the origins of this tool, its features and its wide-scale use by multiple threat groups and actors.
Within the past year, we assess that the group has also leveraged frameworks like Havoc, SparkRat and Sliver with varying degrees of success.
Web Shells
TGR-STA-1030 has frequently deployed web shells on external-facing web servers as well as on internal web servers to maintain access and enable lateral movement. The three most common web shells used by the group are Behinder, Neo-reGeorg and Godzilla.
Further, we noted during one investigation that the group attempted to obfuscate its Godzilla web shells using code from the Tas9er GitHub project. This project obfuscates code by creating functions and strings with names like Baidu. It also adds explicit messages to governments.
Tunnels
We have observed the group leveraging GO Simple Tunnel (GOST), Fast Reverse Proxy Server (FRPS), and IOX across both their C2 infrastructure and compromised networks to tunnel desired network traffic.
Introducing ShadowGuard
During an investigation, we identified the group using a new Linux kernel rootkit, ShadowGuard. The sample we discovered (SHA-256 hash 7808B1E01EA790548B472026AC783C73A033BB90BBE548BF3006ABFBCB48C52D) is an Extended Berkeley Packet Filter (eBPF) rootkit designed for Linux systems. At this time, we assess that the use of this rootkit is unique to this group.
eBPF backdoors are notoriously difficult to detect because they operate entirely within the highly trusted kernel space. eBPF programs do not appear as separate modules. Instead, they execute inside the kernel's BPF virtual machine, making them inherently stealthy. This allows them to manipulate core system functions and audit logs before security tools or system monitoring applications can see the true data.
This backdoor leverages eBPF technology to provide the following kernel-level stealth capabilities:
Kernel-level concealment: It can conceal process information details directly at the kernel level.
Process hiding (syscall interception): The tool intercepts critical system calls, specifically using custom kill signals (entry and exit points) to identify which processes the attacker wants to hide.
It conceals specified process IDs (PIDs), making them invisible to standard user-space analysis tools like the standard Linux ps aux command
It can hide up to 32 processes simultaneously
File and directory hiding: It features a hard-coded check to specifically conceal directories and files named swsecret.
Allow-listing: The backdoor includes an allow list mechanism where processes placed on the list are deliberately excluded and remain unaffected by the hiding functionality.
When started, the program will automatically check for the following:
Root privileges
eBPF support
Tracepoint support
Example commands once ShadowGuard is started are shown below in Table 1.
Command
Overview
kill -900 1234
-900 = Add target PID (1234) to the allow list
kill -901 1234
-901= Remove target PID (1234) from the allow list
touch swsecret_config.txt
mkdir swsecret_data
* Note: By default ShadowGuard hides/conceals any directories or files namedswsecret. This could be a shortened, internal code name used by the rootkit's developers to tag their own files. Example: “Put all configuration and logs inside a directory namedswsecret.”
ls -lafiles/directories beginning withswsecretshould display as a dot.(i.e., it should be hidden)
Table 1. Examples of commands for ShadowGuard.
Infrastructure
Consistent with any advanced actor conducting cyberespionage, this group goes to great lengths to mask and obfuscate the origin of its operations. However, despite all of its best efforts, it is exceptionally hard to overcome the following two challenges:
Network Traffic Inspection: It is widely known that several nations employ methods to censor and filter traffic entering/exiting their respective countries. As such, it is extremely unlikely that foreign cyberespionage groups would willingly route their network traffic through any nation that employs these inspection capabilities.
Network evolution: Maintaining infrastructure for cyberespionage operations is hard. It requires the routine creation of new domains, virtual private servers (VPS) and network tunnels. Studying a group’s infrastructure over time almost always reveals mistakes and errors where tunnels collapse or perhaps identity protection services expire.
Network Structure
We assess that the group applies a multi-tiered infrastructure approach to obfuscate its activities.
Victim-Facing
The group routinely leases and configures its C2 servers on infrastructure owned by a variety of legitimate and commonly known VPS providers. However, unlike most groups that configure their malicious infrastructure on bulletproof providers or in obscure locations, this group prefers to establish its infrastructure in countries that have a strong rule of law.
For example, the group frequently chooses virtual servers in the U.S., UK and Singapore. We assess this preference in locations likely aids the group in three ways:
Infrastructure may appear more legitimate to network defenders
This could enable low-latency connections across the Americas, Europe and Southeast Asia
These locations have separate laws, policies and priorities that govern the operations of their domestic law enforcement and foreign intelligence organizations. Thus, having infrastructure in these locations likely necessitates cross-agency cooperation efforts for their governments to effectively investigate and track the group.
Relays
To connect to the C2 infrastructure, the group leases additional VPS infrastructure that it uses to relay traffic through. These hosts are often configured with SSH on port 22 or a high-numbered ephemeral port. In some cases, we have also observed hosts configured with RDP on port 3389.
Proxies
Over time, the group has leveraged a variety of capabilities to anonymize its connections to the relay infrastructure. In early 2025, we observed the group using infrastructure we associated with DataImpulse, a company that provides residential proxy services. Since then, we have observed the group using the Tor network and other proxy services.
Upstream
In tracking upstream infrastructure, it is important to recognize that the primary goal of an espionage group is to steal data. To accomplish that task, a group has to build a path from the compromised network back to a network it can access. As such, the flow of data upstream typically correlates geographically to the group’s physical location.
As noted above, the act of maintaining all of this infrastructure and its associated connections is quite challenging. On occasion, the group makes mistakes either because it forgets to establish a tunnel or because a tunnel collapses. When this happens, the group connects directly from its upstream infrastructure.
On several occasions, we have observed the group connecting directly to relay and victim-facing infrastructure from IP addresses belonging to Autonomous System (AS) 9808. These IP addresses are owned by an internet service provider in the group’s region.
Domains
We have identified several domains used by the group to facilitate malware C2 communications. Most were registered with the following top-level domains:
me
live
help
tech
Noteworthy domains include:
gouvn[.]me
The group used this domain to target Francophone countries that use gouv to denote government domains. While the actor consistently pointed this domain name to leased victim-facing VPS infrastructure, we noted an anomaly in late 2024. While the domain never pointed to it, the actor appears to have copied an X.509 certificate with the common name gouvn[.]me from a victim-facing VPS to a Tencent server located in the actors’ region. Here it was visible for four days in November 2024.
dog3rj[.]tech
The group used this domain to target European nations. It’s possible that the domain name could be a reference to “DOGE Jr,” which has several meanings in a Western context, such as the U.S. Department of Government Efficiency or the name of a cryptocurrency. This domain was registered using an email address associated with the domain 888910[.]xyz.
zamstats[.]me
The group used this domain to target the Zambian government.
Global Targeting Overview
Over the course of the past year the group has substantially increased its scanning and reconnaissance efforts. This shift follows the group's evolution from phishing emails to exploits for initial access. Most emblematic of this activity, we observed the group scanning infrastructure across 155 countries between November and December 2025, as noted in Figure 2.
Figure 2. Countries targeted by TGR-STA-1030 reconnaissance between November and December 2025.
Given the expansive nature of the activity, some analysts might wrongly assume that the group simply launches broad scans across the entire IPv4 space from 1.1.1[.]1 to 255.255.255[.]255, but that is not the case. Based on our observation, the group focuses its scanning narrowly on government infrastructure and specific targets of interest across each country.
The group’s reconnaissance efforts shed light on its global interests. We have also observed the group's success at compromising several government and critical infrastructure organizations globally. We assess that over the past year, the group compromised at least 70 organizations across 37 countries, as shown in Figure 3. The attackers were able to maintain access to several of the impacted entities for months.
Figure 3. Locations of organizations impacted in 2025.
Impacted organizations include ministries and departments of interior, foreign affairs, finance, trade, economy, immigration, mining, justice and energy.
This group compromised one nation’s parliament and a senior elected official of another. It also compromised national-level telecommunications companies and several national police and counter-terrorism organizations.
While this group might be pursuing espionage objectives, its methods, targets and scale of operations are alarming, with potential long-term consequences for national security and key services.
By closely monitoring the timing of the group’s operations, we have drawn correlations between several of its campaigns and real-world events. These correlations inform assessments as to the group’s potential motivations. The following sections provide additional insights from notable situations by geographic region.
Americas
During the U.S. government shutdown that began in October 2025, the group began to display greater interest in organizations and events occurring across North, Central and South American countries. Over that month, we observed scanning of government infrastructure across Brazil, Canada, Dominican Republic, Guatemala, Honduras, Jamaica, Mexico, Panama and Trinidad and Tobago.
Perhaps the most pronounced reconnaissance occurred on Oct. 31, 2025, when we observed connections to at least 200 IP addresses hosting Government of Honduras infrastructure. The timing of this activity falls just 30 days prior to the national election, in which both candidates signaled openness to restoring diplomatic relations with Taiwan.
In addition to reconnaissance activities, we assess that the group likely compromised government entities across Bolivia, Brazil, Mexico, Panama, and Venezuela, as noted in Figure 4.
Figure 4. Location of impacted entities in the Americas.
Bolivia
We assess that the group likely compromised the network of a Bolivian entity associated with mining. The motivation behind this activity could be associated with interest in rare earth minerals.
We find it noteworthy that the topic of mining rights became a central focus in Bolivia’s recent presidential election. In late July 2025, candidate Jorge Quiroga pledged to scrap multi-billion-dollar mining deals that the Bolivian government had previously signed with two nations.
Brazil
We assess that the group compromised Brazil’s Ministry of Mines and Energy. Brazil is considered to have the second largest supply of rare earth mineral reserves in the world.
According to public reporting, exports of these minerals tripled in the first half of 2025. As Asian companies tighten their global control on these resources, the U.S. has begun looking to Brazil for alternative sourcing.
In October, the U.S. Charge d'Affaires in Brazil held meetings with mining executives in the country. In early November, the U.S. International Development Finance Corporation invested $465 million in Serra Verde (a Brazilian rare earth producer). This has been seen as an effort to reduce reliance on Asia for these key minerals.
Mexico
We assess that the group compromised two of Mexico’s ministries. This activity is very likely associated with international trade agreements.
On Sept. 25, 2025, Mexico News Daily reported on an investigation into Mexico’s latest plans to impose tariffs on certain goods. Coincidentally, malicious network traffic was first seen originating from networks belonging to Mexico’s ministries within 24 hours of the trade probe announcement.
Panama
In December 2025, a report stated that local authorities destroyed a monument, prompting immediate condemnation from some leaders and calls for investigation.
Coincidentally, around the same time, we assess that TGR-STA-1030 likely compromised government infrastructure that may be associated with the investigation.
Venezuela
On Jan. 3, 2026, the U.S. launched Operation Absolute Resolve. This operation resulted in the capture of the Venezuelan president and his wife. In the days that followed, TGR-STA-1030 conducted extensive reconnaissance activities targeting at least 140 government-owned IP addresses.
We further assess that as early as Jan. 4, 2026, the group likely compromised an IP address that geolocates to a Venezolana de Industria Tecnológica facility, as seen in Figure 5. This organization was originally founded as a joint venture between the Venezuelan government and an Asian technology company. The venture enabled the production of computers as an early step toward deepening technology and economic ties between the two regions.
Figure 5. Geolocation data for the compromised IP address.
Europe
Throughout 2025, TGR-STA-1030 increased its focus on European nations. In July 2025, it applied a concerted focus toward Germany, where it initiated connections to over 490 IP addresses hosting government infrastructure.
In August 2025, Czech President Petr Pavel privately met with the Dalai Lama during a trip to India. In the weeks that followed, we observed scanning of Czech government infrastructure, including:
The Army
Police
Parliament
Ministries of Interior, Finance and Foreign Affairs
Separately, in late August, the group applied a concerted focus on European Union infrastructure. We observed the group attempting to connect to over 600 IP addresses hosting *.europa[.]eu domains.
In addition to reconnaissance activities, we assess that the group likely compromised government entities in countries across Cyprus, Czechia, Germany, Greece, Italy, Poland, Portugal and Serbia, as shown in Figure 6. In doing so, the group compromised at least one ministry of finance where it sought to collect intelligence on international development from both the impacted country as well as the European Union.
Figure 6. Location of impacted entities in Europe.
Cyprus
We assess that the group compromised government infrastructure in early 2025. The timing of this activity coincided with efforts by an Asian nation to expand certain economic partnerships across Europe. At the time, Cyprus was also taking preparatory steps toward assuming the presidency of the Council of the European Union at the end of the year, a position that it currently holds.
Greece
We assess that the group likely compromised infrastructure associated with the Syzefxis Project. This project was intended to modernize Greek public sector organizations using high-speed internet services.
Asia and Oceania
While the group performs scanning widely across both continents, TGR-STA-1030 appears to prioritize its reconnaissance efforts against countries in the South China Sea and Gulf of Thailand regions. We routinely observe scanning of government infrastructure across Indonesia, Thailand and Vietnam. For example, in early November 2025, we observed connections to 31 IP addresses hosting Thai government infrastructure.
Additionally, it’s worth noting that the group's reconnaissance efforts often extend beyond connections to web-facing content on ports 80 and 443. In November 2025, we also observed the group attempting to initiate connections to port 22 (SSH) on infrastructure belonging to:
Australia’s Treasury Department
Afghanistan’s Ministry of Finance
Nepal’s Office of the Prime Minister and Council of Ministers
In addition to reconnaissance activities, we assess that the group likely compromised government and critical infrastructure entities in countries including Afghanistan, Bangladesh, India, Indonesia, Japan, Malaysia, Mongolia, Papua New Guinea, Saudi Arabia, Sri Lanka, South Korea, Taiwan, Thailand, Uzbekistan and Vietnam, as shown in Figure 7.
Figure 7. Location of impacted entities in Asia and Oceania.
Indonesia
In March 2024, Indonesia pledged to increase certain counterterrorism coordination efforts. In mid-2025, the group compromised an Indonesian law enforcement entity.
We assess that the group also compromised infrastructure associated with an Indonesian government official. This activity might have been associated with the extraction of natural resources from Papua province. We found that the official was tasked with overseeing development in the province and foreign investment in the mining sector.
The group also compromised an Indonesian airline. The compromised infrastructure geolocates to facilities at Soekarno-Hatta International Airport as shown in Figure 8. The airline had been in talks with a U.S. aerospace manufacturer to purchase new aircraft as part of its strategic growth plans. At the same time, a competing interest was actively promoting aircraft from a manufacturer based in Southeast Asia.
Figure 8. Geolocation data for the compromised IP address.
Malaysia
We assess that the group compromised multiple Malaysian government departments and ministries. Using this access, the group sought to extract immigration and economic intelligence data.
Additionally, we assess that the group compromised a large private financial entity in Malaysia that provides microloans in support of low-income households and small businesses.
Mongolia
The group compromised a Mongolian law enforcement entity on Sept. 15, 2025. Shortly after, Mongolia’s Minister of Justice and Internal Affairs met with a counterpart from an Asian nation. Following the meeting, both countries signaled an intent to expand cooperation to combat transnational crime.
Given the timing, we assess that this activity was likely associated with intelligence gathering in support of the initial meeting and ongoing cooperation discussions.
Taiwan
In early 2025, the group compromised a major supplier in Taiwan's power equipment industry. With this access, we believe the group was able to access business files and directories pertaining to power generation projects across Taiwan. We further assess that in mid-December 2025, the group regained access to this network.
Thailand
We assess that on Nov. 5, 2025, the group compromised a Thai government department where it likely sought economic and international trade intelligence. The timing of this activity overlaps with the government’s effort to expand diplomatic relations with neighboring nations. As such, we assess the activity was likely intelligence gathering in support of the visit and future cooperation discussions.
Africa
It is our observation that when it comes to African nations, the group's focus remains split between military interests and the advancement of economic interests, specifically mining efforts.
We assess that the group likely compromised government and critical infrastructure entities in countries across the Democratic Republic of the Congo, Djibouti, Ethiopia, Namibia, Niger, Nigeria and Zambia, as shown in Figure 9:
Figure 9. Location of impacted entities in Africa.
Democratic Republic of the Congo (DRC)
We assess that in December 2025, the group compromised a government ministry in this country. We found that earlier in the year, an Asian mining firm was responsible for an acid spill that caused significant impacts to a river in neighboring Zambia. In November 2025, a second spill by another Asian company impacted the waterways around Lubumbashi, the second-largest city in the DRC. This event prompted authorities to suspend mining operations for a subsidiary of the Zhejiang Huayou Cobalt Co. Given the timing and the group's unique focus on mining operations, we assess that activity could be related to this mining situation.
Djibouti
Several nations maintain military bases in Djibouti. These bases enable combating piracy on the high seas as well as other regional logistics and defense functions across the Arabian Sea, Persian Gulf and Indian Ocean.
In mid-November, a new Naval Escort Group from one of the nations assumed responsibilities in the region. During its operational debut, the group escorted a Panamanian-registered bulk carrier called the Nasco Gem that carries cargo such as coal and ore. In the context of cyber activity, this could be related to the targeting of mining sectors we observed from TGR-STA-1030.
We assess that in late October 2025, the group gained access to a Djibouti government network. Given the timing of the activity, we believe it might be associated with intelligence collection in support of the naval handover operations.
Zambia
We assess that the group compromised a Zambian government network in 2025. This activity is likely associated with the Sino-Metals Leach Zambia situation.
In February, a dam that held waste from an Asian mining operation collapsed and polluted a major river with cyanide and arsenic. The situation and associated clean-up efforts remain a political point of contention.
Conclusion
TGR-STA-1030 remains an active threat to government and critical infrastructure worldwide. The group primarily targets government ministries and departments for espionage purposes. We assess that it prioritizes efforts against countries that have established or are exploring certain economic partnerships.
Over the past year, this group has compromised government and critical infrastructure organizations across 37 countries. Given the scale of compromise and the significance of the impacted government entities, we are working with industry peers and government partners to raise awareness of the threat and disrupt this activity.
We encourage network defenders and security researchers to leverage the indicators of compromise (IoCs) provided below to investigate and deploy defenses against this group.
Palo Alto Networks Protection and Mitigation
Palo Alto Networks customers are better protected from the threats discussed above through the following products and services:
The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the indicators shared in this research.
Advanced Threat Prevention is designed to defend networks against both commodity threats and targeted threats.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
South Korea: +82.080.467.8774
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices. Based on the artifact metadata, DKnife has been used since at least 2019 and the command and control (C2) are still active as of January 2026.
DKnife’s attacks target a wide range of devices, including PCs, mobile devices, and Internet of Things (IoT) devices. It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.
DKnife primarily targets Chinese-speaking users, indicated by credential harvesting for Chinese-language services, exfiltration modules for popular Chinese mobile applications and code references to Chinese media domains. Based on the language used in the code, configuration files and the ShadowPad malware delivered in the campaign, we assess with high confidence that China-nexus threat actors operate this tool.
We discovered a link between DKnife and a campaign delivering WizardNet, a modular backdoor known to be delivered by a different AiTM framework Spellbinder, suggesting a shared development or operational lineage.
Background
Since 2023, Cisco Talos has continuously tracked the MOONSHINE exploit kit and the DarkNimbus backdoor it distributes. The exploit kit and backdoor were historically used for delivering Android and iOS exploits. While hunting for DarkNimbus samples, Talos discovered an executable and linkable format (ELF) binary communicating with the same C2 server as the DarkNimbus backdoor, which retrieved a gzip-compressed archive. Analysis revealed that the archive contained a fully featured gateway monitoring and AiTM framework, dubbed “DKnife” by its developer. Based on the artifact metadata, the tool has been used since at least 2019, and the C2 is still active as of January 2026.
Link between DKnife and WizardNet campaigns
During Talos' pivot on the C2 infrastructure associated with DKnife, we identified additional servers exhibiting open ports and configurations consistent with previously observed DKnife deployments. Notably, one host (43.132.205[.]118) displayed port activity characteristic of DKnife infrastructure and was additionally found hosting the WizardNet backdoor on port 8881.
WizardNet is a modular backdoor first disclosed by ESET in April 2025, known to be deployed via Spellbinder, a framework that performs AitM attacks leveraging IPv6 Stateless Address Autoconfiguration (SLAAC) spoofing.
Network responses from the WizardNet server align closely with the tactics, techniques, and procedures (TTPs) documented in ESET’s analysis. Specifically, the server delivered JSON-formatted tasking instructions that included a download URL pointing to an archive named minibrowser11_rpl.zip, which include the Wizardnet backdoor downloader.
Spellbinder’s TTPs, which involve hijacking legitimate application update requests and serving forged responses to redirect victims to malicious download URLs, are similar to DKnife’s method of compromising Android application updates. Spellbinder has also been observed distributing the DarkNimbus backdoor, whose C2 infrastructure previously led to the initial discovery of DKnife. The URL redirection paths (http[:]//[IP]:81/app/[app name]) and port configurations identified in these cases are identical to those used by DKnife, indicating a shared development or operational lineage.
Targeting scope
Based on artifacts recovered from the DKnife framework, this campaign appears to primarily target Chinese-speaking users. Indicators supporting this assessment include data collection and processing logic explicitly designed for Chinese mail services , as well as parsing and exfiltration modules tailored for Chinese mobile applications and messaging platforms, including WeChat. In addition, code references to Chinese media domains were identified in both the binaries and configuration files. The screenshot below illustrates an Android application hijacking response that targeted a Chinese taxi service and rideshare application.
It is important to note that Talos obtained the configuration files for analysis from a single C2 server. Therefore, it remains possible that the operators employ different servers or configurations for distinct regional targeting scopes. Considering the connection between DKnife and the WizardNet campaign and given ESET’s reporting that WizardNet activity has targeted the Philippines, Cambodia, and the United Arab Emirates, we cannot rule out a broader regional or multilingual targeting scope.
Figure 1.The manifest response used for Android application update.
Indication of Chinese-speaking threat actors
DKnife contains several artifacts that suggest the developer and operators are familiar with Simplified Chinese. Multiple comments written in Simplified Chinese appear throughout the DKnife configuration files (see Figure 2).
Figure 2.Example of Simplified Chinese language used in the comment of configuration files.
One component of DKnife is named yitiji.bin. The term "Yitiji" is the Pinyin (official romanization system for Mandarin Chinese) for "一体机" which means "all-in-one." In DKnife, this component is responsible for opening the local interface on the device to route traffic through a single device in this scenario.
Additionally, within the DKnife code, when reporting user activities back to the remote C2 server, multiple messages are labelled in Simplified Chinese to indicate the types of activities.
Figure 3. Simplified Chinese message embedded in the code and sent to remote C2.
DKnife: A gateway monitoring and AitM framework
DKnife is a full-featured gateway monitoring framework composed of seven ELF components that perform traffic manipulation across a target network. In addition to the seven ELF components that provide the core functionality, the framework comes with a list of configuration files (see Appendix for the full list), self-signed certificates, phishing templates, forged HTTP responses for hijacking and phishing, log files, and backdoor binaries.
The framework is designed to work with backdoors installed on compromised devices. Its key capabilities include serving update C2 for the backdoors, DNS hijacking, hijacking Android application updates and binary downloads, delivering ShadowPad and DarkNimbus backdoors, selectively disrupting security-product traffic and exfiltrating user activity to remote C2 servers. The following sections highlight DKnife’s key capabilities and explain how its seven ELF binaries work together to implement them.
Targeted platform
DKnife binaries are 64-bit Linux (x86-64) ELF implants that run on Linux-based devices. One of the components remote.bin imports the library "libcrypto.so.10", indicating it targets CentOS/RHEL-based platforms. Configuration elements such as PPPoE, VLAN tagging, a bridged interface (br0), and adjustable MTU and MAC parameters suggest that DKnife is tailored for edge or router devices running Linux-based firmware.
Figure 4. wxha.conf config file.
Key capabilities
The Deep Packet Inspection (DPI) logic and modular design of DKnife enable operators to conduct traffic monitoring campaigns ranging from covert monitoring of user activity to active in-line attacks that replace legitimate downloads with malicious payloads. The following sections highlight the framework’s key capabilities including:
Serving C2 to Android and Windows DarkNimbus malware
DNS hijacking
Android Application binary update hijacking
Windows binary hijacking
Anti-virus traffic disruption
User activity monitoring
Serving updated C2 to the Android and Windows DarkNimbus backdoors
In previously published research about the DarkNimbus backdoor, analysts noted that some samples communicated with their C2 servers using a custom protocol, leading to the hypothesis that the backdoor operated within an AiTM environment. Talos' discovery of DKnife validates this assessment.
DKnife is designed to work with both Android and Windows variants of DarkNimbus. For the Windows version, the dknife.bin component inspects UDP traffic and sends them to port 8005. When it identifies a request containing the string marker DKGETMMHOST, it constructs and returns a response specifying the C2 server address. The response includes two parameters: DKMMHOST and DKFESN. The DKMMHOST value is read from DKnife’s configuration file ("/dksoft/conf/server.conf"), which contains the line MMHOST URL=[value]. The DKFESN value represents a device identifier that DKnife retrieves from an internal server located at "192.168.92.92:8080".
Figure 5. Code excerpt from DKnife showing the handler for “Obtain C2” requests from the Windows version of DarkNimbus.
For the Android variants, the backdoor attempts to contact a Baidu URL "http[:]//fanyi.baidu[.]com/query_config_dk" to retrieve its C2 information. This URL does not return any response from Baidu itself; rather, it serves as a recognizable trigger for DKnife, which intercepts the request and injects the C2 response.
Figure6.Code from AndroidDarkNimbussamplee50247787d2e12c1e8743210a0c0e562cf694744436d93920a037d2f927f533.Figure7.Code inDKnifefor handling “ObtainC2” request from Android version ofDarkNimbus.
DNS hijacking
The DKnife framework relies on two main configuration files to control its DNS-based hijacking and attack logic. The dns.conf file defines the global keyword-to-IP mapping rules and framework parameters used for DNS interception. Theperdns.conffile extends this by defining per-target or campaign-specific DNS attack tasks, including timing parameters such as interval and duration for each attack. In the archive we obtained from the C2 server, only perdns.conf was present; it contained a template for setup rather than active attack data.
Figure8.Perdns.conftemplate.
DKnife supports both IPv4 and IPv6 DNS hijacking:
IPv4 (A) DNS hijacking:
For configured domains: replies with the per-domain IPv4 from dns.conf
For test.com: replies with 8.8.8.8 (and logs)
For JD-related domains (“api.m.jd.com”, “beta-api.m.jd.com”, “api.jd.co.th”, or “beta-api.jd.co.th”): replies with 10.3.3.3
IPv6 (AAAA) DNS hijacking:
For configured domains and for test.com: replies with fixed IPv6 IP 240e:a03:a03:303:a03:303:a03:303 (crafted)
The private IP address 10.3.3.3 belongs to the local interface created by the yitiji.bin component in DKnife. DKnife uses the local interface for delivering malicious binaries (see the following section). The crafted AAAA response is not an actual public address. When DKnife sees traffic addressed to that crafted IPv6, it checks the last 8 bytes of the address and converts it to the local interface address 10.3.3.3.
The code also specially tempers the domains associated with mail services. It takes the queried domain, removes any trailing period if present, then splits on “.” and extracts the leftmost label (e.g., “mail.example.com” into “mail”). It then looks up that label in the same per-domain configuration. Once the attack flag is enabled and the cooldown window has elapsed, it immediately injects a configured response to replace the original response.
Android application binary update hijacking
Figure9.Android APK download hijacking workflow.
DKnife can hijack and replace Android application updates by intercepting the update manifest requests. When an Android application sends an APK update manifest request, DKnife intercepts it, consults the configuration file, and selects the corresponding JSON response file to reply. This response contains a download URL redirecting to the URL of address 10.3.3.3, which DKnife recognizes and routes to the yitiji.bin created Local Area Network (LAN) to deliver malware instead of the legitimate update APK.
The configuration file /dksoft/conf/url.cfg defines the rules and responses used for traffic blocking, phishing on Android and Windows platforms, executable file (.exe) hijacking, and credential-phishing page responses. The file follows the format: [Request URL] [Response JSON file] as shown in Figure 11.
Figure 10. Configuration file url.cfg defines the targeted sites and update manifest file response DKnife is sending to the requested URL.
Within the /bin/html/dkay-scripts folder of the DKnife archive, there are 185 JSON files configured to hijack applications. The targeted applications are mostly popular Chinese-language services (some only available in China), including news media, video streaming, image editing apps, e-commerce platforms, taxi-service platforms, gaming, and pornography video streaming, among others. An example response used to hijack a Chinese photo editing application update request is shown below:
Figure 11. The response manifest file (11184.json) for hijacking the APK download
Windows binary hijacking for delivering Shadowpad and DarkNimbus
In addition to Android update hijacking, DKnife also supports hijacking of Windows and other binary downloads. The hijacking rules are set up during initialization. DKnife attempts to read the rules configuration file at /dksoft/conf/rules.aes and decrypts it using a variant of the Tiny Encryption Algorithm (TEA) algorithm employed by Tencent’s older OICQ/QQ login protocols, commonly referred to as QQ TEA. DKnife decrypts the file with a key dianke0123456789, and saves the decrypted file as rules.conf.
Figure 12.QQ TEA decipher algorithm
Talos did not obtain the rules.aes file from the archive we downloaded. However, based on the code analysis, rules.conf is the configuration to define what requests to match, what to send back, when to throttle and tracking the response. The rules include the following information:
Fieldin the line
Description
id=<number>
Rule ID
host=<regex>
Matching host IP
user_agent=<regex>
Matching User Agent
url=<regex>
Matching URL
file=<relative path>
Relative file name points into“/dksoft/html/dkay-scripts/”.
location=<HTTP Location>
HTTP location usedfor 302 redirects
msg=<plain text>
Message for operator
interval=<sec>
Minimumseconds between two injections to the same victim
duration=<sec>
How long the rule stays activeonce triggered
After reading the rules into a data structure in the memory, the rules.conf file is deleted on the device. When an HTTP request’s Host and URI match the configured rule, DKnife evaluates the rule’s duration and interval timers to determine whether to trigger. If the rule fires and the requested filename has a matching extension (e.g., “.exe”, “.rar”, “.zip”, or “.apk”), DKnife forges an HTTP 302 redirect whose Location URL is taken from the rule’s data field.
Figure 13.Code tomatch on the binary download and respond with HTTP 302.
If the binary download URL matches a specific pattern (“.exe” extension after the query symbol), the file name is replaced with install.exe.
Figure 14.Code to replace.exedownload file name.
Shadowpad and DarkNimbus backdoors
The install.exe file (SHA256: 2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444) is found in the downloaded archive under path /dkay-scripts/. It is a RAR self extraction package containing three binaries, that are actually ShadowPad and the DarkNimbus backdoor, which both being reported [1,2] used by China-nexus threat actors. When launched, the legitimate .exe (TosBtKbd.exe) sideloads the ShadowPad DLL loader (TosBtKbd.dll), which then loads the DarkNimbus DLL backdoor (TosBtKbdLayer.dll). That DarkNimbus backdoor calls out to the Cloudflare DNS address 1.1.1.1, which DKnife intercepts to return the real C2 IP.
Figure 15. Shadowpad and DarkNimbus backdoor delivered by DKnife.
The Shadowpad sample has not been previously reported but is very similar to a previously reported sample. Although it uses a different unpacking XOR seed key, it employs the same unpacking algorithm.
Figure 16. Unpacking algorithm used in the Shadowpad loader sample (SHA256: 43891d3898a54a132d198be47a44a8d4856201fa7a87f3f850432ba9e038893a)Figure 17. Unpacking algorithm used in the Trend Micro’s sample (SHA256: c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854)
The Shadowpad samples (both .exe and .dll) are signed with two certificates both issued from the signer “四川奇雨网络科技有限公司”. This is a company located in Sichuan Chengdu, China specialised in developing computer software and providing network communication devices, according to publiclyavailable information. Pivoting on this signer, Talos found 17 samples that contain the Shadowpad and DarkNimbus backdoor.
Anti-virus traffic disruption
The DKnife traffic inspection module actively identifies and interferes with communications from antivirus and PC-management products. It detects 360 Total Security by searching HTTP headers (e.g., the DPUname header in GET requests or the x-360-ver header in POST requests) and by matching known service domain names. When a match is found, the module drops or otherwise disrupts the traffic with the crafted TCP RST packet. It similarly looks for and disrupts connections to Tencent services and PC-management endpoints.
Recognized Tencent-related domains:
dlied6.qq.com
pcmgr.qq.com
pc.qq.com
www.qq.com/q.cgi
Keywords used to match 360 Total Security-related domains:
360.cn
360safe
qihucdn
duba.net
mbdlog.iqiyi.com
User activity monitoring
DKnife inspects traffic to monitor and report user’s network activity to its remote C2 in real time. Observed telemetry categories include messaging (Signal and WeChat activities including voice/video calls, sent texts, received images, in-app article views), shopping, news consumption, map searches, video streaming, gaming, dating, taxi and rideshare requests, mail checking, and other user actions. Most of the activity reports are triggered by monitoring the request to service/platform domains or URLs. When reporting, the code sends a corresponding embedded message representing the reported activity. For example, Figure 18 shows the code to report Signal messaging activities. The message sent to remote C2 translates to “Using Signal encryption chat APP”.
Figure 18.Code for reporting Signal communication
The table below shows some of the observed telemetry categories and the embedded messages.
WeChat activities
微信打语音或视频电话 (WeChat voice or video calls)
微信发送一条文字消息 (WeChat send a text message)
微信发送或者接收图片 (WeChat send or receive picture)
微信打开公众号看文章 (WeChat checking official account and articles)
Using Signal
使用signal加密聊天APP (Use the Signal encrypted-chat app)
Shopping activity
查询**商品信息 (Query product information on **)
Query train-ticket information
查询火车票信息 (Query train-ticket information)
Searching on Maps
查看**地图 (View the map)
Reading News
****看新闻 (Read news)
DatingActivity
****打开时(When the dating app opens)
Email/platforms credential harvesting and phishing
DKnife can harvest credentials from a major Chinese email provider and host phishing pages for other services. For harvesting email credentials, the sslmm.bin component presents its own TLS certificate to clients, terminates and decrypts POP3/IMAP connections, and inspects the plaintext stream to extract usernames and passwords. Extracted credentials are tagged with "PASSWORD", forwarded to the postapi.bin component, and ultimately relayed to remote C2 servers.
Figure19.Code toforwardpassword.
DKnife can also serve phishing pages. The phishing routes are defined in url.cfg, and several phishing templates were discovered under /dkay-scripts/. All discovered pages submit harvested passwords to endpoints whose paths end with dklogin.html; however, no dklogin.html file was found in the local script directory.
Figure 20.Phishing page setup.
In addition to the capabilities described above, Talos observed DKnife functions that may target IoT devices. Talos is coordinating with the device vendor on mitigations.
The DKnife downloader
The ELF binary (17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06) we discovered from hunting is a downloader that downloads and performs initial setup for the DKnife framework. Upon execution, it attempts to load a configuration file from /dksoft/conf/server.conf to set up the C2 server. The server.conf file contains the C2 configuration in the format UPDATE URL=[config]. If the file does not exist, the binary defaults to the embedded C2 URL http://47.93.54[.]134:8005/.
After configuring the C2, the binary retrieves or generates a UUID for the host device based on the MAC addresses of its network interfaces and stores it in /etc/diankeuuid. The UUID follows the format YYYYMMDDhhmmss[MAC1][MAC2](e.g., 20240219165234000c295de649). The updater also stores a 32-character hexadecimal MD5 checksum in /dksoft/conf/<UUID>.ini, which is later used to verify updates from the C2 server.
The code establishes persistence by modifying the /etc/rc.local file, a script commonly used to execute commands and scripts after the system boots and initializes services. The updater adds its commands between markers #startdianke and #enddianke. It also copies the currently running executable into the /dksoft/update/ directory and appends a corresponding entry to /dksoft/update/[executable path] auto to ensure the binary runs automatically each time the system starts.
After creating the folders for DKnife deployment, the downloader fetches the DKnife archive from the C2 and launches every binary in /dksoft/bin/ using nohup [filepath] 2>/dev/null 1>/dev/null &. The folder contains seven binaries, each performing a distinct role within the DKnife framework.
DKnife’s seven components
The seven implants in DKnife serve the purpose of DPI engine, data reporting, reverse proxy for AitM attack, malicious APK download, framework update, traffic forwarding, and building P2P communication channel with the remote C2. A summary of the components and their roles are listed in the table below:
ELF Implant
Role
Description
dknife.bin
DPI & Attack Engine
The main engine ofDKnife.Includeslogic for deep packet inspection, user activities reporting, binary download hijacking, DNS hijacking,etc.
Reverse proxy server modulemodifiedfromHAProxy. TLS termination,email decryption, andURL rerouting.
mmdown.bin
Updater
Malicious Android APK downloader/updater. It connects to C2 to download the APKs used for the attack.
yitiji.bin
PacketsForwarder
Creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic.
remote.bin
P2P VPN
Customized N2N (a P2P)VPN clientcomponentthat creates a communication channel to remote C2.
dkupdate.bin
Updater & Watchdog
Updater and Watchdog to keepthe components alive.
The graph below shows how the seven DKnife components work together.
Figure 21.Functions of sevenDKnifecomponents.
DKnife.bin
The dknife.bin implant is the main component that acts as the brain of DKnife. It is in charge of all the packet inspection and attack logics, as described in the Key Capabilities section. Upon execution, the implant does some initial setup for the framework. It reads the configuration file /dksoft/conf/wxha.conf to search for the sniffing interface (INPUT_ETH) and attacker interface (ATT_ETH). If the config file is not presented, the default interface for both are eth0. It also reads configuration files for attacking rules and remote C2.
Throughout the packet inspection process, dknife.bin reports information including collected data, user’s activities, attack status and average throughput to the relay component postapi.bin listening at the 7788 port on the device. The reporting packets are a 256-byte UDP datagram with a fixed seven bytes prefix DK7788. At offset 0x40 a label is attached, which represents types of the information (example types including DKIMSI for IMSI information, USERID for harvested user accounts, WECHAT for WeChat activities reporting, ATKRESULT for attack results, etc). Each type of reporting has the corresponding report value format. We listed some examples in the graph below.
Figure 22. Report UDP datagram send from dknife.bin to postapi.bin.Figure 23.Message reportingformat.
Postapi.bin
This is the data relay component in DKnife. It receives forwarded UDP dataframe from dknife.bin, processes, identifies, and labels the data and sends them to remote C2 servers. When receiving the UDP dataframe, it validates the DK7788 prefix and extracts device ID, MAC address, source and destination IPs and ports. It then exfiltrates more interesting data based on the rules defined in file ssluserid.conf. The file is a rulebook for defining the targeted services/platforms and the corresponding scrapping data. The rules define the following methods for scraping:
get_url: scrape a value from the URL of a GET request
get_cookie: scrape from Cookie header of a GET
post_url: scrape from the URL of a POST
post_cookie: scrape from Cookie header of a POST
post_content: scrape from the body of a POST
Each rule also defines which data fields to collect. These include device IDs, phone numbers, IMEIs/IMSIs, MACs, UUIDs, IPs, usernames, etc. DKnife targets dozens of popular Chinese-language mobile and web apps, some of which are only available to Chinese users. Figure below shows part of the rules in the configuration file
Figure 24.Rules inssluserid.conf.
Postapi.bin loads the configuration file server.conf to obtain the address of the remote C2 server used for data exfiltration. If the file is missing, it defaults to https://47.93.54[.]134:8003. The component uses libcurl to send different types of exfiltrated and reporting data via HTTP POST requests to specific API endpoints. The following table lists the reporting URLs and the corresponding data transmitted.
Default URL inthe binary
Data Transmitted
https://47.93.54[.]134:8003/protocol/tcp-data
Full HTTP or DNS records: URL, headers, optional body (Base-64); raw packetexcerpts
The posted data always include a dkimsi=<IMSI> at the end of the data, which is the IMSI or mobile identifier extracted from the packets if available. The binary set a default IMSI 460110672021628 in the code, which is an IMSI with a China Telecom carrier.
Sslmm.bin
This component acts as the reverse proxy server for the AitM attack and is implemented as a pre-configured, customized build of HAProxy. It loads its primary configuration from sslmm.cfg and performs request hijacking and replacement according to rules defined in url.cfg. Copies of hijacked traffic and execution results are encapsulated as UDP dataframes and sent to the postapi.bin component, similar to the behavior implemented in dknife.bin.
In addition to standard HAProxy proxying, sslmm.bin includes custom logic to inspect, log, exfiltrate, and conditionally rewrite client HTTP(S) requests after TLS termination. Content injection is primarily performed through HTTP request-line replacement, redirecting victims to attacker-controlled resources that are typically hosted under the /dkay-scripts/ directory. The resulting telemetry and artifacts are then relayed via postapi.bin to remote C2 infrastructure.
Operationally, the HAProxy configuration terminates TLS on HTTPS and mail-over-TLS ports (443, 993, 995) using a self-signed certificate stored at /dksoft/conf/server.pem, and proxies the decrypted traffic to the appropriate backends. A management/statistics interface is exposed on 0.0.0.0:10800 and protected only by static credentials. Requests matching the /dkay-scripts/ path are selectively downgraded to plain HTTP and routed to a local service at127.0.0.1:81, enabling response modification or injection before content is returned to the client.
This interception model depends on a key trust assumption: for the TLS MITM to be transparent, endpoints must accept the certificate chain presented by the gateway. One hypothesis is that the associated endpoint malware (given the broader DarkNimbus toolchain across Windows and Android) may be used to establish that trust or weaken certificate validation, enabling host-specific certificates to be presented during interception. However, we did not have the artifacts to confirm that such trust establishment or validation bypass is performed on victim devices.
Figure 25.Code for request line injection.Figure 26.Part ofHAProxyconfiguration.
Yitiji.bin
Yitiji.bin is a DKnife component that creates a bridged TAP interface on the router to host and route attacker-injected LAN traffic. It creates a virtual TAP interface named “yitiji”, using the IP address 10.3.3.3 and MAC address1E:17:8E:C6:56:40, and bridges that interface to the real network.
DKnife responds to binary download requests using URL points to the Yitiji interface (e.g., http://10.3.3.3:81/app/base.apk). When such a request is received, the dknife.bin component forwards the traffic to UDP port 555, where yitiji.bin is listening. The component then determines the appropriate link-layer encapsulation, reconstructs complete Ethernet/IP/TCP frames (primarily TCP and ICMP), corrects packet lengths and checksums, and injects them into the TAP interface. This causes the kernel to treat the forged traffic as legitimate LAN communication. Through this mechanism, DKnife can receive the binary download request and serve the payload via this interface. In the reverse direction, Yitiji captures packets leaving the TAP, restores their original VLAN/PPPoE/4G headers, recalculates IP and TCP checksums, and transmits them through the physical network interface specified in the configuration file/dksoft/conf/wxha.conf. It also fabricates ARP replies so other hosts treat the interface as a device in the LAN.
In this way, Yitiji creates a distinct LAN for delivering the malware. This approach facilitates the AitM attack for binary downloads in a stealthy way that avoids IP conflicts and detection.
Remote.bin
This component functions as an N2N peer-to-peer VPN client. When executed it creates a virtual network device named “edge0” and attaches it to a P2P overlay, automatically joining the hardcoded community dknife and registering with the embedded supernode. All traffic routed into edge0 is encapsulated and forwarded over UDP to overlay peers, and the binary also binds a management UDP port on 5644.
With this component, the gateway itself becomes reachable from the overlay and can serve as an egress point for data exfiltration. The implementation supports Twofish encryption if an N2N_KEY environment variable is supplied, but no such key was embedded in the analysed code or associated files.
Mmdown.bin
This binary is a simple Android APK malware downloader and update component in the DKnife framework. It communicates with a hardcoded C2 (http://47.93.54[.]134:8005) and periodically checks for an update manifest and then downloads whatever files the server specifies.
On startup it ensures a handful of local directories exist and generates or reads the UUID from file /etc/diankeuuid to uses it as the filename for the downloaded per-host manifest file <UUID>.mm. The “.mm” file is a list of URLs and MD5 pairs in the format of http://[URL]<TAB><16-byte MD5>. After downloading the manifest file, it parses the file and repeatedly attempts to download each URL over plain HTTP, verifies the downloaded file’s MD5, and on success copies the file into the local web content directory /dksoft/html/app/. When one or more files are successfully fetched it archives the manifest into /dksoft/conf/<UUID>.mm and updates internal MD5 bookkeeping so it doesn’t repeatedly download the same files.
Dkupdate.bin
This binary functions as a DKnife download, deploy, and update component similar to the downloader we initially discovered, but with additional capabilities. It retrieves an update archive update_bin.tar.gz from a C2 server (using a different embedded default URL: http://117.175.185[.]81:8003/), launches a separate binary called eth5to2.bin (not included in the downloaded archive, likely for traffic forwarding) and starts Nginx to run the web server to serve the hijacking components that manipulate HTTP/HTTPS responses.
Getting Network Devices Information
In both dknife.bin and postapi.bin components, DKnife tries to login to an interface which is likely for router management at 192.168.92.92:8080 via the following POST request to retrieve network users and PPPOE information. The POST request for login and getting device information both sent a password MD5 (which is the MD5 of q1w2e3r4) for authentication. If successful login, the server replies with a device serial number (SN) and number of users currently registered. If the number is not zero, the implant requests for the list of MAC and PPPoE ID mapping.
POST /login HTTP/1.1
Host: 192.168.92.92:8080
Content-Type: application/json
Content-Length: 38
{"passwdMD5":"c62d929e7b7e7b6165923a5dfc60cb56"}
POST /fe-device-info HTTP/1.1
Host: 192.168.92.92:8080
User-Agent: Mozilla/5.0
Cookie: feWebSession={"sessionId":**
Figure27.Code parsing the session ID response from management interface.
Conclusion
Routers and edge devices remain prime targets in sophisticated targeted attack campaigns. As threat actors intensify their efforts to compromise this infrastructure, understanding the tools and TTPs they employ is critical. The discovery of the DKnife framework highlights the advanced capabilities of modern AitM threats, which blend deep‑packet inspection, traffic manipulation, and customized malware delivery across a wide range of device types. Overall, the evidence suggests a well‑integrated and evolving toolchain of AitM frameworks and backdoors, underscoring the need for continuous visibility and monitoring of routers and edge infrastructure.
Appendix
Configuration Files
Config file
In Default Archive
Description
/dksoft/conf/wxha.conf
Yes
Config for the attack and sniff interface, output environment, QQ proxy host.
/dksoft/conf/rules.aes
/dksoft/conf/rules.conf
rulebook for HTTP(S) traffic hijacking.
/dksoft/conf/dns.conf
DNS hijacking mapping configuration.
/dksoft/conf/url.cfg
Yes
Configuration for traffic blocking, Android + Windows phishing,executable file (.exe) replacement, credential-stealer pages & scripts.
/dksoft/conf/server.conf
C2configuration
/dksoft/conf/adsl.conf
Configuration related to the ADSL related rules
/dksoft/conf/userid.conf
Configuration to define what user information to collect from the targeted traffic.
/dksoft/conf/appdns.conf
Configuration to map domain names to certain apps.
/dksoft/conf/browser.conf
Configuration to map user agents to browsers.
/dksoft/conf/perdns.conf
Yes
DNS hijacking mapping configuration for more specific arguments for control.
/dksoft/conf/target.conf
Configuration about targets. Operator’swatchlistof subscriber identifiers (MAC orPPPoE)
/dksoft/conf/target_mac.conf
Shadow file of target list.
/dksoft/conf/ssluserid.conf
Read bypostapi.bin, not in the archive bydefault.Trafficsniffing and data exfiltration playbook
/dksoft/conf/appname.conf
Configuration that lets the implantclassify traffic for apps and attach rich context before sending it to C2 or using it in hijack/redirect logic.
