Signal

Reports flag state-aligned espionage tooling aimed at routers and critical networks

Evidence first: scan the strongest sources, then decide whether to go deeper.

Published 2026-02-05 19:21 UTCUpdated 2026-02-06 14:56 UTC

rss

threat_actorsespionagemalwarerootkitnetwork_infrastructurerouters

Source links open

Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.

Back Evidence (2)Get the free brief by email Start free trial

No card needed for the free brief.

Evidence trail (top sources)

top sources (2 domains)

2 top sources shown

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

The Hacker News · News · thehackernews.com · 2026-02-06 14:56 UTC

Asia-based government spies quietly broke into critical networks across 37 countries

The Register Security · News · go.theregister.com · 2026-02-05 19:21 UTC

limited source diversity in top sources

View all evidence

Overview

Two separate reports point to state-aligned espionage activity focused on network infrastructure: one describes a China-linked adversary-in-the-middle framework targeting routers and edge devices, while another describes an Asia-based state-aligned group compromising government and critical infrastructure networks across dozens of countries, including use of a new Linux kernel rootkit.

Entities

DKnife

Score total

0.96

Momentum 24h

Posts

Origins

Source types

Duplicate ratio

Why now

Researchers have newly disclosed the DKnife framework and its router/edge focus
A separate report describes an ongoing campaign spanning 37 countries
Both stories emphasize Linux-based tooling in espionage operations

Why it matters

Router/edge-device compromise can enable traffic manipulation and downstream malware delivery
Linux-focused implants/rootkits can be hard to detect in network and server environments
Broad targeting of government and critical infrastructure raises systemic risk

LLM analysis

Topic mix: lowPromo risk: lowSource quality: medium

Recurring claims

China-linked threat actors have operated the DKnife adversary-in-the-middle framework since at least 2019, using Linux-based implants to inspect and manipulate traffic via routers/edge devices.
An Asia-based state-aligned cyber group compromised government and critical infrastructure organizations across 37 countries in an ongoing espionage campaign, using a toolkit that includes a new Linux kernel rootkit.

How sources frame it

The Hacker News: neutral
The Register Security: neutral

All evidence

China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery

The Hacker News · thehackernews.com · 2026-02-06 14:56 UTC

Asia-based government spies quietly broke into critical networks across 37 countries

The Register Security · go.theregister.com · 2026-02-05 19:21 UTC

Show filters & breakdown

Posts loaded: 0Publishers: 2Origin domains: 2Duplicates: -

Platform

Publisher

Origin domain

Relevance tier

Duplicates only

Showing 2 / 0

Top publishers (this list)

The Hacker News (1)
The Register Security (1)

Top origin domains (this list)

thehackernews.com (1)
go.theregister.com (1)