TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure
A massive, worm-driven campaign, attributed to the TeamPCP threat cluster (also known as DeadCatx3, PCPcat, PersyPCP, and ShellForce), has been systematically targeting cloud-native environments since at least November 2025, with significant activity observed around December 25, 2025. This operation aims to establish a distributed proxy and scanning infrastructure to compromise servers for data exfiltration, ransomware deployment, extortion, and cryptocurrency mining. TeamPCP leverages misconfigured Docker APIs, Kubernetes clusters, Ray dashboards, and Redis servers, alongside vulnerabilities such as React2Shell (CVE-2025-55182) and React flaw (CVE-2025-29927). The group employs various payloads, including `proxy.sh` for installing proxy and tunneling utilities with Kubernetes-specific logic, `scanner.py` to identify misconfigured Docker APIs and Ray dashboards and deploy cryptocurrency miners, `kube.py` for Kubernetes credential harvesting and persistent backdoor deployment, `react.py` for remote code execution via the React flaw, and `pcpcat.py` for automated deployment of malicious containers. The C2 server 67.217.57[.]240 has been linked to the Sliver framework. Primarily targeting Amazon Web Services (AWS) and Microsoft Azure, the attacks are opportunistic, focusing on infrastructure that facilitates their criminal ecosystem rather than specific industries, making affected organizations collateral victims. The danger of TeamPCP lies in its operational integration and scale, combining infrastructure exploitation with data theft and extortion for multiple revenue streams.
Severity: Critical
Threat Details and IOCs
| Malware: | PCPcat, Sliver, Splinter |
| CVEs: | CVE-2025-29927, CVE-2025-55182 |
| Technologies: | Amazon Web Services, Anyscale Ray, Docker, Kubernetes, Linux, Meta React, Microsoft Azure, Redis, Vercel Next.js |
| Threat Actors: | DeadCatx3, PCPcat, PersyPCP, ShellForce, TeamPCP |
| Attacker IPs: | 44.252.85.168, 67.217.57.240 |
| Attacker Domains: | masscan.cloud |
| Attacker URLs: | http://44.252.85.168:666/files/BORING_SYSTEM, http://44.252.85.168:666/files/kube.py, http://44.252.85.168:666/files/proxy.sh, http://44.252.85.168:666/files/react.py, http://44.252.85.168:666/files/redis-deploy.py, http://44.252.85.168:666/files/teampcp.py, http://67.217.57.240:666/files/proxy.sh, https://masscan.cloud, https://t.me/Persy_PCP, https://t.me/teampcp |
| Victim Industries: | E-commerce, Financial Services, Human Resources |
| Victim Countries: | Canada, Serbia, South Korea, United Arab Emirates, United States, Vietnam |
Mitigation Advice
- Add the IP address 67.217.57.240 to your network firewall, proxy, and EDR blocklists to prevent communication with the TeamPCP command and control server.
- Immediately patch all React and Next.js applications vulnerable to React2Shell (CVE-2025-55182).
- Immediately patch all React applications vulnerable to the authorization bypass flaw (CVE-2025-29927).
- Use external network scanning tools to identify and inventory any Docker APIs exposed to the public internet.
- Use external network scanning tools to identify and inventory any Kubernetes API servers or dashboards exposed to the public internet.
- Use external network scanning tools to identify and inventory any Ray dashboards exposed to the public internet.
- Use external network scanning tools to identify and inventory any Redis servers exposed to the public internet.
Compliance Best Practices
- Enforce a security baseline for all Docker deployments that requires authentication, uses TLS for the API endpoint, and avoids exposing the API to the internet.
- Implement and enforce strict Role-Based Access Control (RBAC) policies in Kubernetes, disable anonymous access, and use network policies to segment pods and namespaces.
- Establish a security policy for all Redis deployments that requires strong authentication and restricts network access to only trusted internal clients.
- Evaluate and deploy a Cloud Security Posture Management (CSPM) tool to continuously monitor AWS and Azure environments for misconfigurations like publicly exposed APIs, dashboards, and servers.
- Deploy a container runtime security tool to monitor for anomalous behavior within containers, such as the execution of unexpected processes, network scanners, or outbound connections.
- Implement a default-deny egress filtering policy on firewalls and cloud security groups to block all outbound traffic except for explicitly approved protocols and destinations.
- Mature the vulnerability management program to prioritize patching based on evidence of active exploitation and asset exposure, especially for internet-facing cloud services.
BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability in Remote Support and PRA
A critical pre-authentication remote code execution (RCE) vulnerability, identified as CVE-2026-1731 with a CVSS score of 9.9, has been addressed in BeyondTrust Remote Support (RS) and Privileged Remote Access (PRA) products. This operating system command injection flaw allows an unauthenticated remote attacker to execute arbitrary commands in the context of the site user by sending specially crafted requests, potentially leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects Remote Support versions 25.3.1 and prior, and Privileged Remote Access versions 24.3.4 and prior. Patches are available in Remote Support - Patch BT26-02-RS, version 25.3.2 and later, and Privileged Remote Access - Patch BT26-02-PRA, version 25.1.1 and later. Self-hosted customers are advised to manually apply these patches if not on automatic updates, and those on older versions (RS older than 21.3 or PRA older than 22.1) must upgrade to a newer base version before applying the patch. Discovered by security researcher Harsh Jaiswal on January 31, 2026, via AI-enabled variant analysis, approximately 11,000 instances were found exposed to the internet, with about 8,500 being on-prem deployments that remain vulnerable if not patched. Given past active exploitation of similar flaws, immediate updates are crucial for protection.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-1731 |
| Technologies: | BeyondTrust Privileged Access Management, BeyondTrust Remote Support |
| Threat Actors: | FlaxTyphoon, Hafnium, SaltTyphoon, SilkTyphoon, VoltTyphoon |
| Attacker Countries: | China, Iran, Russia |
| Attacker Emails: | hello@hacktron.ai |
| Attacker Domains: | hacktron.ai |
| Victim Industries: | Critical Manufacturing, Education, Financial Services, Government, Healthcare, Information Technology, Manufacturing, Multimedia, Utilities |
| Victim Countries: | United States |
Mitigation Advice
- Immediately identify all BeyondTrust Remote Support and Privileged Remote Access instances on the network to determine if they are running vulnerable versions.
- For all identified BeyondTrust Remote Support instances, apply patch BT26-02-RS or upgrade to version 25.3.2 or later to remediate CVE-2026-1731.
- For all identified BeyondTrust Privileged Remote Access instances, apply patch BT26-02-PRA or upgrade to version 25.1.1 or later to remediate CVE-2026-1731.
- Review network and appliance logs for any anomalous or malformed requests to BeyondTrust appliances from untrusted IP addresses, which could indicate exploitation attempts of CVE-2026-1731.
- If running BeyondTrust Remote Support older than version 21.3 or Privileged Remote Access older than 22.1, prioritize upgrading to a supported version so the security patch for CVE-2026-1731 can be applied.
Compliance Best Practices
- Review and re-architect network access to all management appliances, including BeyondTrust, to ensure they are not exposed to the public internet. If external access is required, enforce it through a VPN or Zero Trust Network Access (ZTNA) solution.
- Implement a formal patch management policy that mandates enabling automatic updates for vendor appliances where available and establishes a regular cadence for reviewing and manually patching systems that do not support it.
- Implement or enhance an automated asset management program to maintain a continuous, real-time inventory of all software and hardware assets and their versions.
- Integrate logs from critical infrastructure appliances like BeyondTrust into a centralized Security Information and Event Management (SIEM) system to enable continuous monitoring and automated alerting for suspicious behavior.
https://cyberpress.org/beyondtrust-0-day-vulnerability/
https://gbhackers.com/beyondtrust-remote-access-0-day-rce/
https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html
https://www.cyberkendra.com/2026/02/ai-discovers-critical-zero-click-flaw.html
https://www.helpnetsecurity.com/2026/02/09/beyondtrust-remote-access-vulnerability-cve-2026-1731/
https://www.hendryadrian.com/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/
CVE-2026-1868: Critical GitLab Gateway Flaw (CVSS 9.9) Allows RCE
A critical vulnerability, identified as CVE-2026-1868 with a CVSS score of 9.9, affects self-hosted versions of the GitLab AI Gateway. This flaw, an "Insecure Template expansion issue" within the Duo Workflow Service, allows an authenticated attacker to achieve remote code execution or cause a denial of service by submitting crafted Duo Agent Platform Flow definitions. The vulnerability was discovered internally by a GitLab team member. Affected versions include GitLab AI Gateway versions starting from 18.1.6, 18.2.6, and 18.3.1 that are older than the fixed releases. Immediate upgrade to patched versions 18.6.2, 18.7.1, or 18.8.1 is strongly recommended for all Self Managed customers with GitLab Duo Self-Hosted installations.
Severity: Critical
Threat Details and IOCs
| CVEs: | CVE-2026-1868 |
| Technologies: | GitLab |
| Victim Industries: | Automotive, Financial Services, Healthcare, Information Technology, Public Sector |
Mitigation Advice
- Immediately upgrade all self-hosted GitLab AI Gateway instances to a patched version: 18.6.2, 18.7.1, or 18.8.1.
- Conduct an immediate inventory of all GitLab instances to identify any self-hosted AI Gateway deployments and confirm their current version numbers.
- Review GitLab and server logs for unusual or suspicious activity related to the Duo Workflow Service, especially from authenticated user accounts.
Compliance Best Practices
- Evaluate migrating from self-hosted GitLab AI Gateway to a GitLab-managed cloud offering to reduce the administrative burden of security patching.
- Implement and enforce a quarterly user access review process for GitLab to ensure all accounts have the minimum necessary privileges.
- Implement network segmentation to isolate the GitLab AI Gateway server, restricting its network access to only essential systems and services.
- Develop and deploy custom detection rules in your SIEM or EDR solution to monitor for anomalous process execution or network connections originating from GitLab AI Gateway servers.
Cybercriminals Use Firebase Developer Accounts to Distribute Phishing Emails
Cybercriminals are exploiting legitimate Google Firebase developer accounts to launch phishing campaigns, leveraging the platform's free tier to host malicious content and send fraudulent emails. These emails originate from subdomains like `firebaseapp.com`, which possess a high domain reputation due to their association with Google's infrastructure, allowing them to bypass traditional spam filters and land directly in victims' inboxes. The attacks employ psychological tactics, including scare tactics (e.g., urgent alerts about "fraudulent account use") and high-value lures (e.g., promises of free items) to trick users into clicking malicious links and divulging sensitive information. Indicators of compromise include sender addresses with random alphanumeric strings preceding `firebaseapp.com` (e.g., `noreply@pr01-1f199.firebaseapp[.]com`) and redirect chains involving URLs such as `hxxps[:]//rebrand[.]ly/auj0ngh`. This "living off the land" technique necessitates that security teams monitor traffic from `firebaseapp.com` subdomains that do not align with known business applications, and users must remain vigilant against unsolicited emails demanding urgent action, even if the sender appears legitimate.
Severity: Critical
Threat Details and IOCs
| Technologies: | Google Firebase |
| Attacker Emails: | email protected.com, noreply@pr01-1f199.firebaseapp.com, noreply@pro04-4a08a.firebaseapp.com, noreply@zamkksdjauys.firebaseapp.com |
| Attacker Domains: | clouud.thebatata.org, firebaseapp.com, pr01-1f199.firebaseapp.com, pro04-4a08a.firebaseapp.com, rebrand.ly, www.servercrowdmanage.com, zamkksdjauys.firebaseapp.com |
| Attacker URLs: | hxxp://clouud.thebatata.org/click.php?, hxxps://rebrand.ly/auj0ngh, hxxps://www.servercrowdmanage.com/5N98X9F/21NRJNSZ/ |
| Victim Industries: | Energy, Financial Services, Insurance, Investment, Retail |
| Victim Countries: | Afghanistan, Armenia, Australia, Austria, Azerbaijan, Bahrain, Bangladesh, Belgium, Bhutan, Brunei, Bulgaria, Cambodia, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Egypt, Estonia, Finland, France, Georgia, Germany, Greece, Hungary, India, Indonesia, Iran, Iraq, Ireland, Israel, Italy, Japan, Jordan, Kazakhstan, Kuwait, Kyrgyzstan, Laos, Latvia, Lebanon, Lithuania, Luxembourg, Malaysia, Maldives, Malta, Mongolia, Myanmar, Nepal, Netherlands, New Zealand, North Korea, Oman, Pakistan, Papua New Guinea, Philippines, Poland, Portugal, Qatar, Romania, Saudi Arabia, Singapore, Slovakia, Slovenia, South Korea, Spain, Sri Lanka, Sweden, Syria, Tajikistan, Thailand, Timor-Leste, Turkey, Turkmenistan, United Arab Emirates, United States, Uzbekistan, Vietnam, Yemen |
Mitigation Advice
- In your email security gateway, create a rule to block or quarantine emails where the sender domain matches `*.firebaseapp.com` and does not correspond to a known, legitimate business service.
- Add the domains `rebrand.ly`, `clouud.thebatata.org`, and `www.servercrowdmanage.com` to your web proxy, DNS filter, and firewall blocklists.
- Create a detection rule in your SIEM to alert security personnel on all new or unapproved network connections to domains ending in `firebaseapp.com`.
Compliance Best Practices
- Implement a recurring security awareness training program that specifically educates employees on identifying phishing attempts that abuse trusted cloud services, using the tactics described in the article as examples.
- Evaluate and implement an advanced email security solution with features like URL sandboxing and dynamic analysis to inspect links and content from trusted sources like Google Firebase.
- Develop and enforce a formal policy for the use of third-party cloud services, maintaining an explicit allowlist of sanctioned applications and services to better detect anomalous traffic.
China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery
China-nexus threat actors have operated the DKnife gateway-monitoring and adversary-in-the-middle (AitM) framework since at least 2019, utilizing seven Linux-based implants to perform deep packet inspection, traffic manipulation, and malware delivery via routers and edge devices. This framework, discovered during monitoring of the Earth Minotaur threat cluster, primarily targets Chinese-speaking users, evidenced by credential harvesting phishing pages for Chinese email services, exfiltration modules for WeChat, and code references to Chinese media domains, though infrastructural links to TheWizards group suggest broader targeting across Asia and the Middle East. DKnife's modular architecture includes `dknife.bin` for deep packet inspection and hijacking, `postapi.bin` for data reporting, `sslmm.bin` for TLS termination and credential harvesting from POP3/IMAP connections, `mmdown.bin` for APK downloads, `yitiji.bin` for packet forwarding, `remote.bin` for P2P VPN communication, and `dkupdate.bin` for component updates and watchdog functions. The framework delivers ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates, conducts DNS-based hijacking for domains like JD.com, and interferes with antivirus and PC-management products while monitoring user activity in real-time.
Severity: Critical
Threat Details and IOCs
| Malware: | DarkNights, DarkNimbus, DKnife, ForcefulSentry, PhantomDawn, PlugX, ScatterBee, ShadowPad, SslMM, WizardNet |
| CVEs: | CVE-2020-6418, CVE-2021-26855, CVE-2023-3420, CVE-2024-51324, CVE-2025-59287 |
| Technologies: | Apple iOS, Google Android, Linux, Microsoft Windows, Qihoo 360, Tencent PC Manager, Toshiba Bluetooth Stack for Windows |
| Threat Actors: | APT17, APT23, APT41, Barium, BronzeAtlas, BronzeHuntley, BronzeUniversity, CactusPete, DaggerPanda, DarkAngels, DeputyDog, EarthAkhlut, EarthBaku, EarthFreybug, EarthLongzhi, Earth Lusca, EarthLusca, EarthMinotaur, KarmaPanda, KeyBoy, Naikon, PiratePanda, PoisonCarp, Spellbinder, TheWizards, Tonto Team, TontoTeam, TropicTrooper, Webworm, WetPanda, WickedPanda, Winnti, WizardSpider |
| Attacker Countries: | China |
| Attacker IPs: | 110.185.104.180, 110.92.64.117, 110.92.64.17, 117.175.185.81, 210.56.49.72, 240e:a03:a03:303:a03:303:a03:303, 43.132.105.118, 43.132.205.118, 43.155.62.54, 47.238.107.83, 47.93.54.134, 49.89.41.187, 60.205.148.180, 61.139.76.99, 89.195.5.18 |
| Attacker Domains: | ad.scgawj.com, cybaq.chtq.net, dscriy.chtq.net, fanyi.baidu.com |
| Attacker URLs: | http://10.3.3.3:81/app/base.apk, http://110.92.64.17/moo.cgi, http://117.175.185.81:8003/, http://43.132.205.118:81/app/minibrowser11_rpl.zip, http://43.155.62.54:81/app/minibrowser11_rpl.zip, http://47.238.107.83:81/app/minibrowser11_rpl.zip, http://47.93.54.134:8005, http://47.93.54.134:8005/, http://49.89.41.187:8003/, http://fanyi.baidu.com/query_config_dk, https://47.93.54.134:8001/protocol/call-audio, https://47.93.54.134:8003, https://47.93.54.134:8003/, https://47.93.54.134:8003/protocol/application, https://47.93.54.134:8003/protocol/attack-result, https://47.93.54.134:8003/protocol/channel-trigger-log, https://47.93.54.134:8003/protocol/internet-action, https://47.93.54.134:8003/protocol/packet-up, https://47.93.54.134:8003/protocol/target-info, https://47.93.54.134:8003/protocol/tcp-data, https://47.93.54.134:8003/protocol/user-account, https://47.93.54.134:8003/protocol/virtual-id, https://47.93.54.134:8003/public/bind-ip, https://49.89.41.187:8001/protocol/target-info, https://49.89.41.187:8002/, https://49.89.41.187:8002/protocol/application, https://49.89.41.187:8002/protocol/tcp-data, https://49.89.41.187:8002/protocol/virtual-id |
| Attacker Hashes: | 02479ed4eab50844cfb0ffa1fee61a4663e4c1713e5ef496f22e519e2de8b2da, 08f57ad20eabe6b1f294ff4ac3045a97ae872361944f4fb079964d3801dc7c4d, 0cba19b19df9e2c5ebe55d9de377d26a1a51b70a, 12afe49dfbe38657eb7eaae79f758be5906bc2c35bd160c5baf942bb142794f7, 17a2dd45f9f57161b4cc40924296c4deab65beea447efb46d3178a9e76815d06, 17f4f2bda80a4d19c0477165336d5851de1978707286bc5e0f3cef9e7c843ea3, 1ea6667496eeb94755dafd75cd4755e0efb93c916e52921f66edc5c21c876a82, 21b995c9df5e54c2f4464c3caa9211dd1db2679add6239e0b5ee79136796a1c8, 233bdbfadebb532f2730bd965795302bfcd84cb0ccf788c039bac9632b46d957, 247b739f4098bb31bf1899ceb43144ff39a1473d2f696e595ce7cddfcc3ba816, 2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444, 290d267bf8da5c0e19c2d4480654ce5de18a54f01d87c7d2916df31e59883bf5, 2d47e2551fa4daaf5375699a86a06ecbc51943ecf097c4fbcc68a9de136f043a, 2ebb7ae49b47934e19413f0deaa8c46e1cf791c776c3ed2c15c3a69511455a02, 3a024b3dea30e1f563a297343b9c1c80d22f1b2f6844091353b52f34b15498e5, 40ac46a116b65f0450acc2673dc0d973b6df83b6f5260e4cba049f0fd008c9fb, 43891d3898a54a132d198be47a44a8d4856201fa7a87f3f850432ba9e038893a, 4db38a097ae4d5e70b2f51a8ee13b0c1ee01a2a1, 58d00cc6552b53da178b121851391e74646d636b171ac7c5cbd9350bcfc02f57, 5ab86388bab3c67f7fe741a1179c20a90acc638db79077a8be9cd89ea8069741, 5ffbb0996165efbf6797e21ac2dd3ac7370ba766ee7865855c94cda594ae55c0, 62368f963bfeeef063250198a314fd9bf541794cd86c097c19300765cb617ab9, 67f28e05f120a28eab40f588abfce7bc7e76d2c7126f5bc93ab0feb74d9b12f5, 76953e949ac54be8ff3a68794ef1419e9ef9afcb, 77de39e67354557eed2b61f0bb39128fa67e92da98097f0de9251408c202f22f, 7847e00e9c0a6080a648ce977f30637e8ad52297ea108e5fcbe9874849bca547, 78a425fca23e709e2abe8ddf182f586b58b5ad5880f97d679b86db9322a304f6, 7fd78d8a7f635c178b64683e19a7f5a284d1f7cf88a2195f854a21817279fd69, 80bc198ba9e90e62504b21ec692f87303b7d75e7a89506d30bfa521857233d72, 94116f358b8efb9b40834609564ae162ba246e40d822d510794ffdda96c85bc5, 9784a1483b4586eb12d86e549d39ca4bb63871b8, 9aeb63685404f3f7432aa349272b887dbe4ddba074fc6eb1ff76e8569fc37a08, 9d592198b73c45f08b76cdd6c45611a7bccf0f13975f02f2dde779590339e5d9, 9ed358c8bd05081491f9e6d460dc3c3f4300e52689ea8e8a5b2971d805ff047a, a0a8f441be5740e7ddb7fc5fcf5a4db7c7e743f68cbc85b2f5ed932d0817fc46, aee2021cdff5536013368cf5ce14222823c5c0dd6d95074992f78a4ca9fae0be, b08e83b7467b0ad9d15cab33e21e3db0b5994d918b2c14ca93e6983bd1566085, c0fbbdec744b46df7ea9ad638b016e1d6ef6554046eabfd75cbd17a9cbe4424b, c59509018bbbe5482452a205513a2eb5d86004369309818ece7eba7a462ef854, c62d929e7b7e7b6165923a5dfc60cb56, c643190784b4b2ad06d1c909e59f4b6164c59128cb69eb20b948f5533a7d1ef7, cd09f8f7ea3b57d5eb6f3f16af445454, ce0530aae6283fa1f82926603eec1f349606d0325d1f6174273d6d5866982f0b, d39899b079132e3510ef2d3a21e298ce0776d796c87a0f488c482d60dbbfd626, da867188937698c7769861c72f5490cb9c3d4f63, e35dde281d71e8519493322e5e720fb46f3d32083bdcb2593436c511e5b4b096, e42bf15159b920cf21b016beadf23c6d96c5698107451f47fc25a324815c3810, f818c74cbf88bb2a8c79650fb2bdfa6e9a9bd38d58a3433e37756da7d981a130, f8d01dca76b9028611369b956d9d1a7f89729df01a6a86d46a9db9fdab1decca |
| Victim Industries: | E-commerce, Gaming, Government, Interactive Media & Services, Multimedia, Online Gambling, Retail, Social Media, Software, Technology Hardware, Telecommunications, Transportation |
| Victim Countries: | Cambodia, China, Philippines, United Arab Emirates |
Mitigation Advice
- Immediately review and apply the latest firmware security patches to all company-managed routers and edge devices.
- Configure network monitoring and DNS security tools to detect and alert on DNS responses that redirect internal or high-traffic external domains to unauthorized IP addresses.
- Monitor network traffic logs for anomalous TLS certificates, such as self-signed certificates or certificates from unexpected issuers, particularly for email (POP3/IMAP) and internal services.
- Perform a targeted threat hunt on all Linux-based routers and edge devices for the presence of DKnife framework files, including dknife.bin, postapi.bin, sslmm.bin, mmdown.bin, yitiji.bin, remote.bin, and dkupdate.bin.
- Using your Endpoint Detection and Response (EDR) tool, run threat hunting queries for indicators of compromise (IOCs) associated with the ShadowPad and DarkNimbus backdoors on all managed endpoints.
Compliance Best Practices
- Develop and enforce a security hardening baseline for all network edge devices, including changing default administrator credentials, disabling unused services, and restricting management interface access to a dedicated, segmented network.
- Implement network segmentation to isolate IoT and network infrastructure devices from the corporate user and critical server networks, limiting the potential impact of a compromised edge device.
- Implement a Network Detection and Response (NDR) solution to continuously monitor network traffic for anomalies, including DNS hijacking, unauthorized TLS decryption, and malicious file transfers.
- Create a plan to migrate all users and applications from legacy email protocols like POP3 and IMAP to modern, secure alternatives that enforce transport encryption and multi-factor authentication.
- Implement application control policies on endpoints to prevent the execution of unauthorized applications and block common DLL side-loading techniques.
https://blog.talosintelligence.com/knife-cutting-the-edge/
https://gbhackers.com/china-nexus-hackers/
https://hackread.com/china-dknife-spyware-hijack-internet-routers-2019/
https://thehackernews.com/2026/02/china-linked-dknife-aitm-framework.html
https://www.hendryadrian.com/the-all-in-one-spy-dknife-malware-hijacks-routers-to-swap-downloads/
https://www.infosecurity-magazine.com/news/china-malware-kit-targets-routers/
