Ethical Hacking News
Daxin Resurfaces: A Slightly Reinvigorated Threat Actor Leans on Stupig to Steal the Show
A China-linked threat actor has resurfaced after more than four years, using a previously unknown backdoor dubbed Stupig. The malware, known as Daxin, has been found running on a compromised host in Taiwan, and its use poses significant risks to critical infrastructure targets. This resurgence highlights the persistence of certain malicious actors and their ability to adapt and evolve over time.
A recently resurfaced malware, Daxin, has been found operational in a Taiwanese manufacturing firm, over 4 years after its initial discovery.The malware is accompanied by a previously unreported backdoor called Stupig, which allows for SYSTEM-level command execution and credential theft.Daxin uses an innovative technique to blend in with regular activity, monitoring incoming TCP traffic for specific patterns and hijacking existing legitimate connections for encrypted C2 communications.The malware can interact with machines physically disconnected from the internet, supporting multi-hop communications through chains of infected hosts.Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup.The attack may have gone unnoticed for 13 years, as the compromised machine did not begin reporting telemetry until May 2026.
The threat landscape is ever-evolving, as new and sophisticated cyber threats continue to emerge. In a recent development that highlights the persistence of certain malicious actors, it has come to light that an advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwanese manufacturing firm. The malware in question, dubbed Daxin ("srt64.sys"), is accompanied by a previously unreported backdoor known as Stupig.
Daxin was first documented by Broadcom-owned Symantec in March 2022. Evidence from that time indicated its use in targeted attacks aimed at governments and other critical infrastructure targets since 2013. The latest findings from the Symantec and Carbon Black Threat Hunter Team reveal that Daxin is still operational, having been found running on a compromised host in Taiwan in 2026.
The same machine, belonging to a Taiwan-based subsidiary of a multinational high-tech manufacturer, has also been infected with Stupig ("a.dll" or "kbdus1.dll"). The file name is an attempt to masquerade as "kbdus.dll," a legitimate Microsoft DLL associated with the U.S. English keyboard layout. This clever disguise serves to blend in with regular activity and avoid detection.
Stupig, as a tool, employs a technique not documented in any known malware family. It uses a trojanized keyboard-layout DLL loaded by 'winlogon.exe' to allow an attacker to run commands as SYSTEM directly from the Windows logon screen, before anyone signs in and without raising a logon audit event. This approach enables Stupig to provide operators with SYSTEM-level command execution and credential theft before a user signs in.
What makes this intrusion stand out is that both Daxin and Stupig carry a compilation timestamp from early 2013. Although the compromised machine did not begin reporting telemetry until May 12, 2026, it's suspected that the attack may have gone unnoticed for 13 years. The co-deployment of these two tools on the same host, coupled with complementary functions, similarities in development practices, and the 2013 compile timestamps, suggest that they may have been created by the same threat actor.
Daxin has an unusual approach to command-and-control. Rather than directly establishing outbound connections with attacker-controlled infrastructure, the Windows kernel-mode driver backdoor monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for encrypted C2 communications so as to blend in with regular activity. This innovative technique makes Daxin exceptionally difficult to identify with conventional network monitoring.
Furthermore, it's equipped to interact with machines that are physically disconnected from the internet. This feature allows Daxin to support multi-hop communications through chains of infected hosts, enabling operators to reach systems on isolated network segments. The Symantec and Carbon Black Threat Hunter Team noted that "Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup."
The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module. Once Stupig starts running inside "winlogon.exe," it keeps an eye out for usernames beginning with the string "stupig" in the Windows logon screen. When the username is entered, any string that follows the prefix is interpreted as a command and executed with SYSTEM privileges.
If no command is entered after the prefix, it spawns a command prompt session as SYSTEM on the logon screen. The discovery of Daxin in 2026 shows that the cyber espionage operation never completely stopped but rather went quiet, maintaining stealthy persistence in targeted networks.
It's also worth noting that both the artifacts carry a compilation timestamp from early 2013, although the compromised machine did not begin reporting telemetry until May 12, 2026. Given the threat actor's ability to stay undetected for extended periods of time, it's suspected that the attack may have gone unnoticed for 13 years.
The disclosure comes as Hunt.io said it observed a suspected China-linked threat actor using Anthropic Claude Code and DeepSeek models to automate intrusions against government and financial systems in Afghanistan, Thailand, Taiwan, and the U.S. The discovery is based on an open directory ("112.213.124[.]132") that has been found to share identical HTTP header fingerprints with known TencShell command-and-control (C2) infrastructure.
Related Information:
https://www.ethicalhackingnews.com/articles/Daxin-Resurfaces-A-Slightly-Reinvigorated-Threat-Actor-Leans-on-Stupig-to-Steal-the-Show-ehn.shtml
https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html
Published: Thu Jul 16 07:59:39 2026 by llama3.2 3B Q4_K_M