Knife Cutting the Edge: Disclosing a China-nexus gateway-monitoring AitM framework

Cisco Talos uncovered 'DKnife', a sophisticated gateway-monitoring and adversary-in-the-middle (AitM) framework comprising seven Linux-based implants. Used since 2019, DKnife performs deep-packet inspection, traffic manipulation, and malware delivery via routers and edge devices. It targets various devices, including PCs, mobile devices, and IoT, delivering ShadowPad and DarkNimbus backdoors. The framework primarily targets Chinese-speaking users, with evidence suggesting China-nexus threat actors as operators. DKnife's capabilities include DNS hijacking, Android application update hijacking, Windows binary hijacking, anti-virus traffic disruption, and user activity monitoring. A link to the WizardNet campaign was also discovered, indicating a shared development or operational lineage.

Pulse ID: 6984fa9b481e11f8426b9eb0
Pulse Link: https://otx.alienvault.com/pulse/6984fa9b481e11f8426b9eb0
Pulse Author: AlienVault
Created: 2026-02-05 20:16:27

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#AdversaryInTheMiddle #AitM #Android #BackDoor #China #Chinese #Cisco #CyberSecurity #DNS #Edge #InfoSec #IoT #Linux #Malware #Nim #OTX #OpenThreatExchange #RAT #ShadowPad #Talos #Windows #bot #AlienVault

A blog series on my descent into maddness with PKI/etc would probably be interesting

But first I can finish out the networking series (latest post here).

The last part for now will be about taking the engress policy features and wireguard and then creating a wireguard interface on a Talos linux node, and then assigning routing rules to a non-default table, so only traffic assigned to that interface uses it.

The end result: ability to create a egress policy targeting a pod, and send all outbound traffic out over that VPN link.

I could have done this for the web services that I am having exit on the cloud node, but I want to eventually put caching on the edge.

Of course the goal here with the wireguard exit was to use ProtonVPN for a download client......
#Homelab #Networking #Kubernetes #Talos

📬 UAT-7290: Massiver Angriff auf die Telekommunikationsinfrastruktur in verschiedenen Kontinenten
#Cyberangriffe #Internet #Mobilfunk #Bulbature #OSINTAdvisory #ProtectionBulletin #RushDrop #SilentRaid #Talos #UAT7290 https://sc.tarnkappe.info/33a076

All a linux system really needs as executable

Anything else can be run in a container. Immutable filesystem 🤩

External kernel and initrd, only statically linked files

sbin/xtables-legacy-multi
sbin/xfs_repair
sbin/udevd
sbin/mkfs.xfs
sbin/lvmdump
sbin/lvm
sbin/iptables-apply
sbin/init
sbin/fsck.xfs
sbin/fsadm
sbin/dmsetup
sbin/blkdeactivate
bin/runc
bin/containerd-shim-runc-v2
bin/containerd-shim
bin/containerd

#talos #linux

#TALOS #Κρήτη Αυτοκίνητο παρέσυρε παιδί έξω από σχολείο https://www.zougla.gr/greece/aftokinito-paresyre-paidi-exo-apo-scholeio/?utm_source=dlvr.it&utm_medium=mastodon

Wrote a post about setting up the smb csi driver in your #homelab #kubernetes cluster and using talosctl to back up your #talos etcd to a NAS.

https://unixorn.github.io/post/homelab/k8s/04-backup-talos-etcd-to-smb/

@homelab

ミニPCにIncusOSをインストールして、Tailscale経由で接続可能なTalos Linuxによるk8sクラスタを構築

ちょっとこの記事を見つけたので見ていた

https://pf.korako.me/post/14539

#Talos and #IncusOS both have "web tools" to "generate" an image that is specifically tailored to your needs (system extensions, plugins, etc.).

That feels super weird to me. I mean, why would I want to share part of my config with the website? Why would I want to download multiple times the whole ISO file when I could download it once, and customize it on my workstation.

Why not a local tool asking the same questions, downloading/caching the requested fragments and building the thing locally???

This feels like an antipattern to collect usage stats or something.

TUIs for observability! 💯🤌

🚁 **talos-pilot** — TUI for managing/monitoring Talos Linux k8s clusters

⚡ Real-time node health, logs, diagnostics, etcd status & safe production ops.

🦀 Written in Rust & built with @ratatui_rs

⭐ GitHub: https://github.com/handfish/talos-pilot

#rustlang #ratatui #tui #kubernetes #talos #devops #sre #observability

FYI all, portainer is giving away 3 node business licenses. https://www.portainer.io/take-3

When I signed up for the freebie I noticed they've added #kubernetes support since the last time I visited their site, so I'm interested in checking how well that interacts with #talos.

Some of my #homelab machines currently just run a few containers in #docker_compose stacks for services my #homeassistant server is using like node red and I've been using #portainer for simple things like checking status or restarting things without having to ssh into those workers. Most of those containers are going to get migrated into my #k8s cluster, so it'll be interesting to see how well it works as a quick web interface.

@homelab

lmao.

talos linux just added a log folder in 1.12. Perfect, lemme enable node logs finally on the grafana/loki/alloy stack!

Oh. Wait, alloy/k8s-monitoring expects /var/log/journal to exist, so systemd, which talos is not using. (far too minimal for that, not a philosophical aversion to it)

Which means if I want to export node logs using alloy I'll have to do a bunch of file log configs, whoops

​:neocat_flop:​

Or I could export to syslog.... but I have mtls setup on that and I don't see a way to get a client cert for the talos nodes, or configure the log exporter to use it?

Hmm. I have another idea, but I'll have to think a bit on which is the best option, some of the ideas seem cursed....
#Homelab #Talos #Grafana

@keisatsu @homelab #talos #homelab

I'm pretty sure you could use the metal images, but since the nocloud mentions proxmox explicitly I went with that. I'm too ignorant at this point to really know what makes them different. One of the advantages of talos + proxmox is that it's really really easy to stand up a 1 node experiment 😉

As a k8s n00b I really like how easy and fast it is to rebuild a single node cluster while I'm experimenting.

I had tried k3s before but never really moved much workload to it, and it was before I had a proxmox cluster set up. That, plus the fact that I was running it on headless Odroid ARM SBCs made me reluctant to wipe nodes and start over.

I updated the article just now to note that with the cluster configured to start with no CNI and no kube-proxy, it can take several minutes for it to get back to Ready after you kick off the etcd bootstrap.

There are some alarming looking errors while things time out that made me think I'd broken things until I kicked it off on a fresh cluster and went to cook dinner.

Here's a tip - if you plan on standing up and tearing down VMs while you're tinkering with Talos, copy the MAC of the first one (go to your proxmox datacenter UI, select the VM, then select **Hardware** and double click **Network Device** for details) and set each replacement to that MAC. Your DHCP server uses a machine's MAC to determine if it should get a static assignment, so recycling the MAC keeps you from having to update DHCP each time you bring up a new VM.

This is one of the few times it's a good idea to reuse a MAC - having two VMs or physical machines with the same MAC running simultaneously will cause problems with on your network.

@homelab #talos #k8s #cilium

Posted part two of my homelab k8s cluster series:

https://unixorn.github.io/post/homelab/k8s/02-k8s-cilium-r53-and-cert-manager/

This one covers using cert-manager to create certificates for domains hosted on Route 53 and setting up a basic https service using Cilium and also automatically redirecting http to https.

Decided to make a TMNT character, purely random everything.

Here’s my beginning (raw rolls, no bonuses yet).

Name: Talos
IQ 10
ME 13
MA 10
PS 12
PP 7
PE 10
PB 10
Spd 13
Animal: Lizard (Leopard Gecko)
Origin: Accidental
Education: Skulking on the fringes of society

I rolled Lizard, decided gecko because I had a Leopard Gecko in college. Yes I named him after the automated statue who protected Crete.

#TTRPG #TMNT #PalladiumRpg #LeopardGecko #Talos

I set up a #talos #k8s cluster with #cilium on #proxmox over the holiday break.

I documented how to set one up on my blog at https://unixorn.github.io/post/homelab/k8s/01-talos-with-cilium-cni-on-proxmox/

#selfhosted #homelab @homelab

This is part one of a series.

Oooh, Talos 1.12 is released, a bunch of new features that I've been looking forward to

Notably the ability to assign different routing tables, will pair great with cilium egress policies to send select container traffic out over wireguard VPNs which will let me re-engineer my content acquisition system in a much cleaner manner

Also the kernel features for power monitoring were added so I'll be able to give kepler a shot but not entirely sure if my hardware works with it.

The ability to bake config into images will also be nice for Proxmox or cloud deployments as an alternative to cloud init, especially considering how clumsy Proxmox cloud init feels

I'll probably take another shot at the config generation and management, my terraform for that is not as smooth as I'd like. Maybe I'll consider one of the other tools for it? Idk.

Anyhow certainly a bunch to do with this update!

#Homelab #Talos #Kubernetes

New Blog Post: Hybrid Cloud with Talos and Wireguard

https://blog.transitory.social/posts/2025-12-13-hybrid-cloud-with-talos-and-wireguard/

Follow along as I add a remote note to the cluster, and add three more layers of complexity. The end result is the ability to serve external facing pages from the cloud using Kubernetes, Talos Linux, Wireguard, Cilium, and Traefik ingress.

@homelab@fedigroups.social
#Homelab #Kubernetes #Traefik #Talos #Wireguard

I'm setting up a talos cluster to tinker with at home and want to use my Synology for persistent volume storage.

I set up the NFS nfs-subdir-external-provisioner on my talos cluster and documented how at https://unixorn.github.io/post/homelab/talos-nfs-provisioner/

#talos #kubernetes #k8s #homelab #nfs @homelab