Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Daxin: A 13-Year-Old China-Linked Malware Still Active on a Taiwan-Based Manufacturer's Network



A 13-year-old China-linked malware is still active on a Taiwanese-based manufacturer's network, according to a recent discovery by Symantec researchers. The malware, known as Daxin, was first documented in March 2022 and has been found to be still operational on the same network where it was originally deployed over thirteen years ago.

  • Daxin, a Windows kernel-mode rootkit, was first documented by Symantec in March 2022 and has been discovered to have compromised a Taiwanese-based manufacturer's network since 2013.
  • The malware was deployed on the network of a Taiwan-based subsidiary through an outdated Digiwin single sign-on portal vulnerability.
  • Daxin allows attackers to communicate with infected computers on highly secured networks, making it difficult to detect with conventional network monitoring.
  • A new backdoor named Stupig was discovered on the same host as Daxin, disguising itself as a legitimate keyboard layout file.
  • Stupig achieves persistence by registering as a keyboard-layout provider and executes commands with SYSTEM privileges without raising logon audit events.
  • The discovery highlights the importance of keeping software and systems updated, as well as conducting regular security audits to detect vulnerabilities in networks.



  • In a recent discovery, researchers from Symantec have uncovered evidence of a sophisticated cyberattack dating back to 2013, which has left a Taiwanese-based manufacturer's network compromised for nearly thirteen years. The malware in question is known as Daxin, a Windows kernel-mode rootkit that was first documented by Symantec in March 2022.

    The attack began around 2013 when the malware was deployed on the network of a Taiwan-based subsidiary of a multinational high-tech manufacturer. At the time, it is believed that an outdated version of the Digiwin single sign-on portal was exploited as the entry point for the attack, leaving a significant vulnerability exposed on the network.

    Daxin is a rare choice for malware authors, implemented as a Windows kernel driver, which allows the attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available. This advanced communication capability enables Daxin to hide its traffic in normal network traffic and abuse legitimate services already running on the infected computers.

    The malware doesn't reach out to attacker-controlled servers like most malware does. Instead, it monitors incoming TCP traffic on the host for specific patterns and hijacks existing legitimate connections to run its encrypted communications, blending in with traffic that's already there. This makes Daxin exceptionally difficult to identify with conventional network monitoring.

    Furthermore, a new backdoor named Stupig was discovered on the same host as Daxin. The Stupig backdoor disguises itself as kbdus1.dll, mimicking the legitimate kbdus.dll file that Windows uses for the U.S. English keyboard layout. It registers itself as a keyboard-layout provider and causes win32k.sys to load it into winlogon.exe at system startup.

    Stupig achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup. The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module. This allows Stupig to watch the Windows login screen for usernames that begin with the string “stupig.” Whatever follows that prefix is treated as a command and executed with SYSTEM privileges.

    This access method provides a significant advantage to attackers, allowing them to execute commands as System before any user signs in and without raising a logon audit event. The experts still have to discover how the host was originally compromised, but based on what was found, it's believed that an outdated version of the Digiwin single sign-on portal software from 2009 to 2011 may have been used as the entry point for the attack.

    Symantec hasn't found code-level overlap between Daxin and Stupig, so there's no technical proof they came from the same development team. However, their functions are complementary. The practical upshot for defenders is to add keyboard-layout DLL loading to the list of things worth monitoring, particularly anything being loaded into winlogon.exe at startup that wasn’t there before.

    The impact of this discovery highlights the importance of keeping software and systems updated, as well as conducting regular security audits to detect vulnerabilities in networks. It also serves as a reminder that even sophisticated malware like Daxin can still be active on networks for extended periods without being detected.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Daxin-A-13-Year-Old-China-Linked-Malware-Still-Active-on-a-Taiwan-Based-Manufacturers-Network-ehn.shtml

  • https://securityaffairs.com/195577/malware/daxin-13-year-old-china-linked-malware-found-still-active-on-manufacturers-network.html


  • Published: Sat Jul 18 10:23:21 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us