“We found a hyperlink between DKnife and a marketing campaign delivering WizardNet, a modular backdoor identified to be delivered by a distinct AiTM framework, Spellbinder, suggesting a shared improvement or operational lineage,” the researchers mentioned.
Talos mentioned DKnife features a site visitors inspection module that actively interferes with antivirus and PC-management communications. The module identifies 360 Whole Safety site visitors by inspecting particular HTTP headers, comparable to DPUname and x-360-ver, and by matching identified service domains. When a match is detected, the framework disrupts the connection utilizing crafted TCP reset packets.
Related conduct focusing on Tencent companies and different PC administration endpoints was additionally noticed, indicating deliberate efforts to weaken security tooling. To strengthen detection, Talos shared a listing of indicators of compromise (IoCs), together with file hashes, community artifacts, and command and management (c2) infrastructure related to DKnife. Moreover, the disclosure shared a set of ClamAV signatures for detecting and blocking the menace.
