Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor

Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor
Symantec found Backdoor.Daxin still active on a compromised host in Taiwan in May 2026, alongside a previously unknown backdoor named Backdoor.Stupig that executes commands from the Windows logon screen and may be related to the same China-linked operator. The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer, and both tools carried 2013 compile timestamps that suggest a very long-lived intrusion. #BackdoorDaxin #BackdoorStupig #Digiwin #winlogon.exe #kbdusdll

Keypoints

  • Symantec discovered Backdoor.Daxin active in May 2026 on a compromised host in Taiwan, more than four years after it was first publicly exposed.
  • A second, previously undocumented backdoor, Backdoor.Stupig, was found on the same machine and may be operationally related to Daxin.
  • Stupig abuses a keyboard-layout DLL loaded by winlogon.exe to run commands as SYSTEM from the Windows logon screen before any user signs in.
  • Both malware samples carried compile timestamps from early 2013, suggesting the intrusion may have persisted undetected for years.
  • The likely initial access vector was an outdated Digiwin single sign-on portal using obsolete JDK 1.5 and 1.6 installations.
  • Daxin uses unusual C&C tradecraft by hijacking legitimate inbound TCP traffic and can relay commands across infected hosts to reach isolated systems.
  • The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer, a target type consistent with prior China-linked espionage activity.

MITRE Techniques

  • [T1547.004 ] Boot or Logon Autostart Execution: Winlogon Helper DLL – Stupig persists by registering as a keyboard-layout provider so win32k.sys loads it into winlogon.exe at startup (‘registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup’).
  • [T1055 ] Process Injection – Stupig installs inline hooks inside winlogon.exe to intercept credentials and control logon behavior (‘installed inline hooks on SspiCli!LsaLogonUser and Advapi32!CredUnprotectA’).
  • [T1105 ] Ingress Tool Transfer / Inbound Traffic Hijacking – Daxin monitors incoming TCP traffic and hijacks legitimate connections to carry encrypted C&C traffic (‘monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections’).
  • [T1021 ] Remote Services / Lateral Movement – Daxin can relay commands through chains of infected hosts to reach isolated network segments (‘supporting multi-hop communications through chains of infected hosts’).
  • [T1218 ] System Binary Proxy Execution – Stupig abuses winlogon.exe and win32k.sys loading behavior to run malicious code under trusted system components (‘load it into winlogon.exe at system startup’).

Indicators of Compromise

  • [File hashes ] Backdoor.Daxin and Backdoor.Stupig samples – 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530, 5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f
  • [File names ] Deployed malware files on the victim host – srt64.sys, a.dll, kbdus1.dll
  • [System directories / paths ] Backdoor.Daxin was installed as a kernel driver and Stupig was found in Windows system locations – %SystemRoot%System32drivers, System32
  • [Companion payload reference ] Stupig referenced a missing additional DLL payload – msyun.dll


Read more: https://www.security.com/threat-intelligence/daxin-returns-stupig