Knife Cutting the Edge: Disclosing a China-Nexus Gateway-Monitoring AitM Framework

    Monday, February 9, 2026 In: Threat Research Print

    Date: 02/09/2026

    Severity: High

    Summary

    Knife Cutting the Edge details DKnife, a China-nexus, Linux-based adversary-in-the-middle (AitM) gateway framework active since at least 2019 that compromises routers and edge devices to inspect and manipulate network traffic and deliver malware. The framework targets PCs, mobile, and IoT devices, hijacks software and Android update channels to deploy backdoors such as ShadowPad and DarkNimbus, primarily focuses on Chinese-speaking users, and shows operational links to campaigns delivering the WizardNet backdoor—indicating a shared tooling or development lineage.

    Indicators of Compromise (IOC) List 

    URLs/Domains

    ad.scgawj.com

    https://47.93.54.134:8003/

    http://117.175.185.81:8003/

    http://47.93.54.134:8005/

    https://47.93.54.134:8001/protocol/call-audio

    https://47.93.54.134:8003/protocol/tcp-data

    https://47.93.54.134:8003/protocol/virtual-id

    https://47.93.54.134:8003/protocol/channel-trigger-log

    https://47.93.54.134:8003/protocol/user-account

    https://47.93.54.134:8003/protocol/application

    https://47.93.54.134:8003/protocol/target-info

    https://47.93.54.134:8003/public/bind-ip

    https://47.93.54.134:8003/protocol/internet-action

    https://47.93.54.134:8003/protocol/packet-up

    https://47.93.54.134:8003/protocol/attack-result

    https://49.89.41.187:8002/protocol/tcp-data

    https://49.89.41.187:8002/protocol/virtual-id

    https://49.89.41.187:8002/protocol/application

    https://49.89.41.187:8002/

    https://49.89.41.187:8001/protocol/target-info

    http://49.89.41.187:8003/

    http://110.92.64.17/moo.cgi

    http://43.155.62.54:81/app/minibrowser11_rpl.zip 

    http://47.238.107.83:81/app/minibrowser11_rpl.zip 

    http://43.132.205.118:81/app/minibrowser11_rpl.zip 

    IP Address

    43.155.62.54

    210.56.49.72

    43.132.105.118

    89.195.5.18

    110.92.64.117

    110.92.64.17

    61.139.76.99

    47.93.54.134

    49.89.41.187

    60.205.148.180

    117.175.185.81

    110.185.104.180

    Hash

    17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06

    c0fbbdec744b46df7ea9ad638b016e1d6ef6554046eabfd75cbd17a9cbe4424b

    12afe49dfbe38657eb7eaae79f758be5906bc2c35bd160c5baf942bb142794f7

    08f57ad20eabe6b1f294ff4ac3045a97ae872361944f4fb079964d3801dc7c4d

    9d592198b73c45f08b76cdd6c45611a7bccf0f13975f02f2dde779590339e5d9

    c643190784b4b2ad06d1c909e59f4b6164c59128cb69eb20b948f5533a7d1ef7

    b08e83b7467b0ad9d15cab33e21e3db0b5994d918b2c14ca93e6983bd1566085

    40ac46a116b65f0450acc2673dc0d973b6df83b6f5260e4cba049f0fd008c9fb

    a0a8f441be5740e7ddb7fc5fcf5a4db7c7e743f68cbc85b2f5ed932d0817fc46

    ce0530aae6283fa1f82926603eec1f349606d0325d1f6174273d6d5866982f0b

    5ffbb0996165efbf6797e21ac2dd3ac7370ba766ee7865855c94cda594ae55c0

    58d00cc6552b53da178b121851391e74646d636b171ac7c5cbd9350bcfc02f57

    77de39e67354557eed2b61f0bb39128fa67e92da98097f0de9251408c202f22f

    247b739f4098bb31bf1899ceb43144ff39a1473d2f696e595ce7cddfcc3ba816

    233bdbfadebb532f2730bd965795302bfcd84cb0ccf788c039bac9632b46d957

    17f4f2bda80a4d19c0477165336d5851de1978707286bc5e0f3cef9e7c843ea3

    5ab86388bab3c67f7fe741a1179c20a90acc638db79077a8be9cd89ea8069741

    78a425fca23e709e2abe8ddf182f586b58b5ad5880f97d679b86db9322a304f6

    F818c74cbf88bb2a8c79650fb2bdfa6e9a9bd38d58a3433e37756da7d981a130

    2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444

    43891d3898a54a132d198be47a44a8d4856201fa7a87f3f850432ba9e038893a

    94116f358b8efb9b40834609564ae162ba246e40d822d510794ffdda96c85bc5

    f8d01dca76b9028611369b956d9d1a7f89729df01a6a86d46a9db9fdab1decca

    1ea6667496eeb94755dafd75cd4755e0efb93c916e52921f66edc5c21c876a82

    21b995c9df5e54c2f4464c3caa9211dd1db2679add6239e0b5ee79136796a1c8

    2ebb7ae49b47934e19413f0deaa8c46e1cf791c776c3ed2c15c3a69511455a02

    d39899b079132e3510ef2d3a21e298ce0776d796c87a0f488c482d60dbbfd626

    9ed358c8bd05081491f9e6d460dc3c3f4300e52689ea8e8a5b2971d805ff047a

    290d267bf8da5c0e19c2d4480654ce5de18a54f01d87c7d2916df31e59883bf5

    e35dde281d71e8519493322e5e720fb46f3d32083bdcb2593436c511e5b4b096

    aee2021cdff5536013368cf5ce14222823c5c0dd6d95074992f78a4ca9fae0be

    02479ed4eab50844cfb0ffa1fee61a4663e4c1713e5ef496f22e519e2de8b2da

    2d47e2551fa4daaf5375699a86a06ecbc51943ecf097c4fbcc68a9de136f043a

    9aeb63685404f3f7432aa349272b887dbe4ddba074fc6eb1ff76e8569fc37a08

    3a024b3dea30e1f563a297343b9c1c80d22f1b2f6844091353b52f34b15498e5

    7fd78d8a7f635c178b64683e19a7f5a284d1f7cf88a2195f854a21817279fd69

    62368f963bfeeef063250198a314fd9bf541794cd86c097c19300765cb617ab9

    67f28e05f120a28eab40f588abfce7bc7e76d2c7126f5bc93ab0feb74d9b12f5

    E42bf15159b920cf21b016beadf23c6d96c5698107451f47fc25a324815c3810

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://49.89.41.187:8002/protocol/virtual-id" or siteurl like "https://49.89.41.187:8002/protocol/virtual-id" or url like "https://49.89.41.187:8002/protocol/virtual-id" or domainname like "https://47.93.54.134:8003/protocol/target-info" or siteurl like "https://47.93.54.134:8003/protocol/target-info" or url like "https://47.93.54.134:8003/protocol/target-info" or domainname like "https://47.93.54.134:8003/protocol/internet-action" or siteurl like "https://47.93.54.134:8003/protocol/internet-action" or url like "https://47.93.54.134:8003/protocol/internet-action" or domainname like "http://47.93.54.134:8005/" or siteurl like "http://47.93.54.134:8005/" or url like "http://47.93.54.134:8005/" or domainname like "https://49.89.41.187:8002/protocol/tcp-data" or siteurl like "https://49.89.41.187:8002/protocol/tcp-data" or url like "https://49.89.41.187:8002/protocol/tcp-data" or domainname like "https://47.93.54.134:8003/protocol/virtual-id" or siteurl like "https://47.93.54.134:8003/protocol/virtual-id" or url like "https://47.93.54.134:8003/protocol/virtual-id" or domainname like "http://110.92.64.17/moo.cgi" or siteurl like "http://110.92.64.17/moo.cgi" or url like "http://110.92.64.17/moo.cgi" or domainname like "https://47.93.54.134:8003/" or siteurl like "https://47.93.54.134:8003/" or url like "https://47.93.54.134:8003/" or domainname like "https://47.93.54.134:8003/protocol/tcp-data" or siteurl like "https://47.93.54.134:8003/protocol/tcp-data" or url like "https://47.93.54.134:8003/protocol/tcp-data" or domainname like "http://47.238.107.83:81/app/minibrowser11_rpl.zip" or siteurl like "http://47.238.107.83:81/app/minibrowser11_rpl.zip" or url like "http://47.238.107.83:81/app/minibrowser11_rpl.zip" or domainname like "http://117.175.185.81:8003/" or siteurl like "http://117.175.185.81:8003/" or url like "http://117.175.185.81:8003/" or domainname like "https://47.93.54.134:8001/protocol/call-audio" or siteurl like "https://47.93.54.134:8001/protocol/call-audio" or url like "https://47.93.54.134:8001/protocol/call-audio" or domainname like "https://49.89.41.187:8002/" or siteurl like "https://49.89.41.187:8002/" or url like "https://49.89.41.187:8002/" or domainname like "https://47.93.54.134:8003/protocol/packet-up" or siteurl like "https://47.93.54.134:8003/protocol/packet-up" or url like "https://47.93.54.134:8003/protocol/packet-up" or domainname like "https://47.93.54.134:8003/protocol/user-account" or siteurl like "https://47.93.54.134:8003/protocol/user-account" or url like "https://47.93.54.134:8003/protocol/user-account" or domainname like "https://47.93.54.134:8003/protocol/application" or siteurl like "https://47.93.54.134:8003/protocol/application" or url like "https://47.93.54.134:8003/protocol/application" or domainname like "ad.scgawj.com" or siteurl like "ad.scgawj.com" or url like "ad.scgawj.com" or domainname like "https://47.93.54.134:8003/public/bind-ip" or siteurl like "https://47.93.54.134:8003/public/bind-ip" or url like "https://47.93.54.134:8003/public/bind-ip" or domainname like "https://47.93.54.134:8003/protocol/channel-trigger-log" or siteurl like "https://47.93.54.134:8003/protocol/channel-trigger-log" or url like "https://47.93.54.134:8003/protocol/channel-trigger-log" or domainname like "https://47.93.54.134:8003/protocol/attack-result" or siteurl like "https://47.93.54.134:8003/protocol/attack-result" or url like "https://47.93.54.134:8003/protocol/attack-result" or domainname like "https://49.89.41.187:8001/protocol/target-info" or siteurl like "https://49.89.41.187:8001/protocol/target-info" or url like "https://49.89.41.187:8001/protocol/target-info" or domainname like "http://49.89.41.187:8003/" or siteurl like "http://49.89.41.187:8003/" or url like "http://49.89.41.187:8003/" or domainname like "http://43.155.62.54:81/app/minibrowser11_rpl.zip" or siteurl like "http://43.155.62.54:81/app/minibrowser11_rpl.zip" or url like "http://43.155.62.54:81/app/minibrowser11_rpl.zip" or domainname like "http://43.132.205.118:81/app/minibrowser11_rpl.zip" or siteurl like "http://43.132.205.118:81/app/minibrowser11_rpl.zip" or url like "http://43.132.205.118:81/app/minibrowser11_rpl.zip" or domainname like "https://49.89.41.187:8002/protocol/application" or siteurl like "https://49.89.41.187:8002/protocol/application" or url like "https://49.89.41.187:8002/protocol/application"

    Detection Query 2 :

    dstipaddress IN ("60.205.148.180","47.93.54.134","210.56.49.72","117.175.185.81","43.155.62.54","43.132.105.118","89.195.5.18","110.92.64.117","110.92.64.17","61.139.76.99","49.89.41.187","110.185.104.180") or srcipaddress IN ("60.205.148.180","47.93.54.134","210.56.49.72","117.175.185.81","43.155.62.54","43.132.105.118","89.195.5.18","110.92.64.117","110.92.64.17","61.139.76.99","49.89.41.187","110.185.104.180")

    Detection Query 3 :

    sha256hash IN ("a0a8f441be5740e7ddb7fc5fcf5a4db7c7e743f68cbc85b2f5ed932d0817fc46","12afe49dfbe38657eb7eaae79f758be5906bc2c35bd160c5baf942bb142794f7","d39899b079132e3510ef2d3a21e298ce0776d796c87a0f488c482d60dbbfd626","aee2021cdff5536013368cf5ce14222823c5c0dd6d95074992f78a4ca9fae0be","17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06","f8d01dca76b9028611369b956d9d1a7f89729df01a6a86d46a9db9fdab1decca","21b995c9df5e54c2f4464c3caa9211dd1db2679add6239e0b5ee79136796a1c8","247b739f4098bb31bf1899ceb43144ff39a1473d2f696e595ce7cddfcc3ba816","58d00cc6552b53da178b121851391e74646d636b171ac7c5cbd9350bcfc02f57","1ea6667496eeb94755dafd75cd4755e0efb93c916e52921f66edc5c21c876a82","9d592198b73c45f08b76cdd6c45611a7bccf0f13975f02f2dde779590339e5d9","08f57ad20eabe6b1f294ff4ac3045a97ae872361944f4fb079964d3801dc7c4d","2ebb7ae49b47934e19413f0deaa8c46e1cf791c776c3ed2c15c3a69511455a02","233bdbfadebb532f2730bd965795302bfcd84cb0ccf788c039bac9632b46d957","290d267bf8da5c0e19c2d4480654ce5de18a54f01d87c7d2916df31e59883bf5","ce0530aae6283fa1f82926603eec1f349606d0325d1f6174273d6d5866982f0b","9ed358c8bd05081491f9e6d460dc3c3f4300e52689ea8e8a5b2971d805ff047a","b08e83b7467b0ad9d15cab33e21e3db0b5994d918b2c14ca93e6983bd1566085","5ab86388bab3c67f7fe741a1179c20a90acc638db79077a8be9cd89ea8069741","e35dde281d71e8519493322e5e720fb46f3d32083bdcb2593436c511e5b4b096","c0fbbdec744b46df7ea9ad638b016e1d6ef6554046eabfd75cbd17a9cbe4424b","c643190784b4b2ad06d1c909e59f4b6164c59128cb69eb20b948f5533a7d1ef7","40ac46a116b65f0450acc2673dc0d973b6df83b6f5260e4cba049f0fd008c9fb","5ffbb0996165efbf6797e21ac2dd3ac7370ba766ee7865855c94cda594ae55c0","77de39e67354557eed2b61f0bb39128fa67e92da98097f0de9251408c202f22f","17f4f2bda80a4d19c0477165336d5851de1978707286bc5e0f3cef9e7c843ea3","78a425fca23e709e2abe8ddf182f586b58b5ad5880f97d679b86db9322a304f6","F818c74cbf88bb2a8c79650fb2bdfa6e9a9bd38d58a3433e37756da7d981a130","2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444","43891d3898a54a132d198be47a44a8d4856201fa7a87f3f850432ba9e038893a","94116f358b8efb9b40834609564ae162ba246e40d822d510794ffdda96c85bc5","02479ed4eab50844cfb0ffa1fee61a4663e4c1713e5ef496f22e519e2de8b2da","2d47e2551fa4daaf5375699a86a06ecbc51943ecf097c4fbcc68a9de136f043a","9aeb63685404f3f7432aa349272b887dbe4ddba074fc6eb1ff76e8569fc37a08","3a024b3dea30e1f563a297343b9c1c80d22f1b2f6844091353b52f34b15498e5","7fd78d8a7f635c178b64683e19a7f5a284d1f7cf88a2195f854a21817279fd69","62368f963bfeeef063250198a314fd9bf541794cd86c097c19300765cb617ab9","67f28e05f120a28eab40f588abfce7bc7e76d2c7126f5bc93ab0feb74d9b12f5","E42bf15159b920cf21b016beadf23c6d96c5698107451f47fc25a324815c3810")

    Reference:

    https://blog.talosintelligence.com/knife-cutting-the-edge/


    Tags

    MalwareThreat ActorAPTChina-NexusChinaAiTMShadowPadDarkNimbusBackdoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.