Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network

Wait 5 sec.

Researchers found China’s Daxin rootkit and a new Stupig backdoor on a Taiwan firm’s network, suggesting a stealthy intrusion dating back to 2013.Symantec’s Threat Hunter Team found Daxin running on a compromised host at a Taiwan-based subsidiary of a multinational high-tech manufacturer in 2026. Daxin is a Windows kernel-mode rootkit that Symantec first documented in March 2022, with evidence of use in targeted attacks against governments and critical infrastructure dating back to 2013. “Backdoor.Daxin, the China-linked kernel-mode rootkit that Symantec first uncovered and exposed in 2022, is still operational.” reads the report published by Symantec. “It was found running on a compromised host in Taiwan in 2026, more than four years after it was first uncovered.”The same machine also carried a previously unreported backdoor, which the researchers are tracking as Stupig. Both artifacts carry compilation timestamps from early 2013. Telemetry from the machine only started appearing on May 12, 2026. The implication is that this intrusion may have gone undetected for thirteen years.Neither of these is a new tool in the sense that they were recently written. What’s new is that they’re still in use, still operational, and apparently were never removed from at least this one network. Thirteen years is a long time to be inside someone’s infrastructure without anyone noticing. Daxin is implemented as a Windows kernel driver, a rare choice for malware authors. The malware implements advanced communication capabilities that allow the attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available.The malware can hide its traffic in normal network traffic on the target’s network and abuse legitimate services already running on the infected computers.Daxin doesn’t reach out to attacker-controlled servers the way most malware does. Instead, it monitors incoming TCP traffic on the host for specific patterns and hijacks existing legitimate connections to run its encrypted communications, blending in with traffic that’s already there. “Rather than establishing its own outbound connections, the driver monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections to carry encrypted command-and-control (C&C) traffic.” states Symantec. “This made Daxin exceptionally difficult to identify with conventional network monitoring. “That multi-hop capability is significant: it means the operator can reach machines that have no direct internet connection by routing commands through a chain of compromised machines that do. Standard network monitoring looking for outbound connections to suspicious destinations would find nothing.Stupig disguises itself as kbdus1.dll, mimicking the legitimate kbdus.dll file that Windows uses for the U.S. English keyboard layout. It registers itself as a keyboard-layout provider, which causes win32k.sys to load it into winlogon.exe at system startup. “Backdoor.Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup.” the Symantec team explains. “The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module.” The keyboard works perfectly. Nothing looks wrong. The backdoor is just sitting there, loaded into the Windows login process.Once it’s running inside winlogon.exe, Stupig watches the Windows login screen for usernames that begin with the string “stupig.” Whatever follows that prefix is treated as a command and executed with SYSTEM privileges, which is the highest level of access on a Windows machine. If someone types the prefix with nothing after it, the backdoor opens a command prompt with SYSTEM privileges directly on the login screen, before any user has authenticated. “Stupig uses a technique not documented in any known malware family. A Trojanized keyboard-layout DLL loaded by winlogon.exe lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.” continues the report.No login event is logged. No audit trail. A defender monitoring authentication logs would see nothing.The experts still have to discover how the host was originally compromised. The most likely entry point, based on what was found, is an outdated version of the Digiwin single sign-on portal that was running end-of-life Java Development Kit versions 1.5 and 1.6, software from 2009 to 2011. That’s a significant attack surface left exposed on a network belonging to a subsidiary of a multinational manufacturer.Symantec hasn’t found code-level overlap between Daxin and Stupig, so there’s no technical proof they came from the same development team. What connects them is deployment on the same host, complementary functions, similar development practices, and identical 2013 compile timestamps. One tool handles deep network persistence and covert communications. The other provides pre-authentication SYSTEM access through a mechanism most security teams aren’t monitoring. “If linked to the same actor, the Stupig backdoor adds a further capability.” concludes the report. “By hiding inside the Windows logon process and registering as a keyboard-layout provider, Stupig gives operators SYSTEM-level command execution and credential theft before a user signs in, an access method most defenders are not aware of nor watching for. Whether the same operators deployed both tools cannot be confirmed, but their functions are complementary.”The practical upshot for defenders is to add keyboard-layout DLL loading to the list of things worth monitoring, particularly anything being loaded into winlogon.exe at startup that wasn’t there before. The Windows login process is not a place most security teams look for malicious activity, which is precisely why this works.Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, Daxin rootkit)