MalwareUsed by 5 actorsExploits 9 CVEs

DarkNimbus

DarkNimbus is a cross-platform backdoor with Android and Windows variants that has been actively developed since at least 2018. It has been reported as being used by the China-aligned threat cluster Earth Minotaur and has also been linked in reporting to TheWizards/WizardNet-related activity. Since 2023, Cisco Talos has tracked DarkNimbus alongside the MOONSHINE exploit kit, and Trend Micro reported that Earth Minotaur uses MOONSHINE to deliver DarkNimbus to Android and Windows devices, primarily targeting Tibetan and Uyghur communities via malicious links distributed through instant messaging applications, especially WeChat.

On Android, MOONSHINE targets vulnerable Chromium-based browsers and Tencent Browser Server components embedded in apps, including WeChat. In the observed chain, successful exploitation replaced WeChat’s XWalk browser core with a trojanized APK containing DarkNimbus. The Android backdoor uses XMPP for command-and-control via the open-source Smack library and HTTPS for file transfers. Reported capabilities include collection of device information, installed applications, contacts, SMS, call history, GPS data, clipboard contents, browser bookmarks, files, screenshots, photos, and recordings. It also abuses Android Accessibility Service to steal conversations from instant messaging apps shown in the foreground. The broader Android codebase supports collection from DingTalk, MOMO, QQ, Skype, TalkBox, Voxer, WeChat, and WhatsApp, although the MOONSHINE-delivered variant was reported to target WeChat specifically.

The Windows variant is written in C++ and supports host profiling, installed software enumeration, file collection, browsing-history theft, screenshots, keystroke capture, clipboard theft, shell command execution, and browser credential theft. One reported variant communicated with C2 at 117.175.185.81:8001, while another sent the string DKGETMMHOST to 1.1.1.1:8005 to obtain final C2 information.

Cisco Talos also reported DarkNimbus being delivered by DKnife, a seven-component Linux-based adversary-in-the-middle framework used on routers and edge devices since at least 2019 and assessed with high confidence as operated by China-nexus threat actors. DKnife hijacks Windows binary downloads and Android application updates to deliver ShadowPad and DarkNimbus, including a chain in which install.exe (SHA256 2550aa4c4bc0a020ec4b16973df271b81118a7abea77f77fec2f575a32dc3444) contained ShadowPad and DarkNimbus components; TosBtKbd.exe sideloaded TosBtKbd.dll, which then loaded the DarkNimbus DLL TosBtKbdLayer.dll. Talos reported that delivered DarkNimbus samples contacted 1.1.1.1 and that DKnife intercepted that request to provide the real C2 IP. Additional reporting notes overlap between DKnife and WizardNet/Spellbinder infrastructure and tactics, and that DarkNimbus has appeared in campaigns involving ShadowPad and WizardNet.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

9 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

9 CVES

CVE-2016-1646Out-of-bounds read in Google V8 Array.prototype.concatExploited in the wild

Vulnerability Targeted Version CVE-2016-1646 Chrome 39~49

via trend micro researchtrendmicro.com

CVE-2020-6418Type Confusion in Google Chrome V8 TurbofanExploited in the wild

CVE-2020-6418 is the only newer vulnerability included in the version of MOONSHINE exploit kit we observed.

via trend micro researchtrendmicro.com

CVE-2018-17480V8 out-of-bounds write in Google Chrome array deserializationExploited in the wild

Vulnerability Targeted Version CVE-2018-17480 Chrome 70~73, TBS 44605

via trend micro researchtrendmicro.com

CVE-2018-6065Integer overflow in V8 object instantiation in Google ChromeExploited in the wild

Vulnerability Targeted Version CVE-2018-6065 Chrome 62~63

via trend micro researchtrendmicro.com

CVE-2018-17463Type Confusion RCE in Google Chrome V8Exploited in the wild

Vulnerability Targeted Version CVE-2018-17463 Chrome 68~69

via trend micro researchtrendmicro.com

CVE-2016-5198Type confusion in V8 in Google ChromeExploited in the wild

Vulnerability Targeted Version CVE-2016-5198 Chrome 50

via trend micro researchtrendmicro.com

CVE-2023-3420Type Confusion in V8 (Google Chrome <114.0.5735.198)Exploited in the wild

Cisco Talos Intelligence Group recently published details on CVE-2023-3420 vulnerability that targets WeChat. We believe the related exploit is part of the MOONSHINE framework.

via trend micro researchtrendmicro.com

CVE-2017-5070Type Confusion RCE in Google Chrome V8Exploited in the wild

Vulnerability Targeted Version CVE-2017-5070 Chrome 56~58

via trend micro researchtrendmicro.com

CVE-2017-5030Remote Code Execution in Google Chrome V8 complex species handlingExploited in the wild

Vulnerability Targeted Version CVE-2017-5030 Chrome 51~55

via trend micro researchtrendmicro.com

THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Earth Minotaur

They also discovered an unreported Android backdoor, DarkNimbus, that was used by Earth Minotaur. This backdoor also has a Windows version. Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a cross-platform threat.

via trend micro researchtrendmicro.com

TheWizards

...deliver malware like the ShadowPad and DarkNimbus backdoors.

via scworldscworld.com

china_nexus_threat_actors

Since 2023, Cisco Talos has tracked the MOONSHINE exploit kit and the DarkNimbus backdoor used to deliver mobile exploits.

via security affairssecurityaffairs.com

china_nexus_apt_groups

"...campaigns involving ShadowPad, DarkNimbus, and the WizardNet backdoor."

via rescana blogrescana.com

TheWizard

...TheWizard APT group, which also deployed DarkNimbus backdoor developed by Earth Minotaur.

via gbhackersgbhackers.com

MITRE ATT&CK

Techniques & procedures

24 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques

T1189Drive-by CompromiseEvidence1

The malicious links led victims to MOONSHINE exploit kit servers, which install backdoors on the victims’ devices.

T1195Supply Chain CompromiseEvidence2

“DKnife hijacks software downloads and Android app updates to spread ShadowPad and DarkNimbus backdoors.”

T1195.002Compromise Software Supply ChainEvidence1

DKnife hijacks software downloads and Android app updates... It redirects update requests to a local malicious server and replaces legitimate downloads with malware.

T1566.002Spearphishing LinkEvidence1

Earth Minotaur sends carefully crafted messages via instant messaging apps to entice victims to click an embedded malicious link. They disguise themselves as different characters on chats to increase the success of their social engineering attacks.

Execution

5 techniques

T1059.003Windows Command ShellEvidence1

cmd_10051 Executes shell command

T1059.004Unix ShellEvidence1

cmd_20004 Execute a shell command

T1203Exploitation for Client ExecutionEvidence1

MOONSHINE uses multiple Chromium exploits to attack instant messaging apps on Android... This gives attackers a great opportunity to exploit these vulnerabilities and install their backdoors.

T1574.001DLLEvidence2

TosBtKbd.exe - a legitimate executable signed by Toshiba vulnerable to DLL side-loading; TosBtKbd.dll - a Shadowpad sample side-loaded by TosBtKbd.exe; TosBtKbdLayer.dll - a DarkNimbus sample loaded by TosBtKbd.dll

T1574.013KernelCallbackTableEvidence1

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

Persistence

1 technique

T1205Traffic SignalingEvidence1

For the Android variants, the backdoor attempts to contact a Baidu URL "http[:]//fanyi.baidu[.]com/query_config_dk" to retrieve its C2 information. This URL does not return any response from Baidu itself; rather, it serves as a recognizable trigger for DKnife, which intercepts the request and injects the C2 response.

Stealth

3 techniques

T1205Traffic SignalingEvidence1

T1574.001DLLEvidence2

T1574.013KernelCallbackTableEvidence1

It delivers and interacts with the ShadowPad and DarkNimbus backdoors by hijacking binary downloads and Android application updates.

Credential Access

3 techniques

T1056.001KeyloggingEvidence1

cmd_10026 Collect keystrokes

T1555Credentials from Password StoresEvidence1

cmd_10052 Collect browser saved credentials

T1557Adversary-in-the-MiddleEvidence2

Cisco Talos uncovered “DKnife,” a fully featured gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants that perform deep-packet inspection, manipulate traffic, and deliver malware via routers and edge devices.

Discovery

3 techniques

T1082System Information DiscoveryEvidence1

cmd_10001 Collect mobile device information... / cmd_10001 Collect host information: OS, computername, username, cpu, memory size...

T1083File and Directory DiscoveryEvidence1

cmd_10011 Collect directory information... cmd_10012 Collect directory information from a specified folder... / cmd_10011 Collect list of files and directories

T1518Software DiscoveryEvidence1

cmd_10002 Collect installed APPs information... / cmd_10002 Collect list of installed applications by parsing registry key 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall'

Collection

7 techniques

T1005Data from Local SystemEvidence1

The backdoor steals personal information including the contact list, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple instant messaging apps.

T1056.001KeyloggingEvidence1

cmd_10026 Collect keystrokes

T1113Screen CaptureEvidence1

It also supports call recording, taking photos, screenshotting...

T1115Clipboard DataEvidence1

cmd_10024 Collect clipboard data ... / cmd_10050 Collect clipboard data

T1123Audio CaptureEvidence1

It also supports call recording...

T1125Video CaptureEvidence1

cmd_10006 Take a picture from front-facing camara

T1557Adversary-in-the-MiddleEvidence2

Command and Control

3 techniques

T1071Application Layer ProtocolEvidence1

DarkNimbus uses the XMPP protocol to communicate with a C&C server... In addition, it communicates to another server via HTTPS; this server is used mainly for file transfers.

T1105Ingress Tool TransferEvidence2

Downloads the trojanized XWalk APK from the remote server... / Downloading the “libwcdb.so” file from a remote server for the backdoor to use

T1205Traffic SignalingEvidence1

Impact

1 technique

T1565.001Stored Data ManipulationEvidence2

dknife.bin – DPI & attack engine... runs attacks such as DNS hijacking, binary and APK download hijacking, and user activity monitoring.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

5 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

9 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app5 months ago

hash.sha256●●●●●●●●●●●●View more in app5 months ago

ip.v4●●●●●●●●●●●●View more in app5 months ago

ip.v4●●●●●●●●●●●●View more in app1 year ago

hash.md5●●●●●●●●●●●●View more in app2 years ago

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cloudatg insightsNews

Feb 13, 2026

AI Development & Software Engineering | CloudATG

Cross-platform (Android and Windows) backdoor used for long-term surveillance, delivered via MOONSHINE exploit kit.

scworldNews

Feb 10, 2026

China-linked DKnife framework targets Chinese users with advanced man-in-the-middle attacks | SC Media

Backdoor associated with the Earth Minotaur cluster and also referenced as used by the APT group TheWizards; delivered via DKnife-facilitated traffic manipulation.

hackreadNews

Feb 9, 2026

China-Linked DKnife Spyware Hijacking Internet Routers Since 2019

Backdoor delivered by the DKnife toolkit in this campaign; specific capabilities not described in the provided content.

security online infoNews

Feb 9, 2026

The "All-in-One" Spy: DKnife Malware Hijacks Routers to Swap Downloads

A backdoor delivered in a chain where ShadowPad is side-loaded first and then loads DarkNimbus; DKnife supports its C2 by intercepting and rerouting DNS requests to the real C2 infrastructure.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities9

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping24

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.