An advanced malware known as Daxin, associated with a China-linked threat actor, has reemerged within a Taiwanese manufacturing firm. Alongside it, a new backdoor called Stupig has been identified, marking a significant cybersecurity concern.
Background on Daxin Malware
Daxin, first documented by Symantec in March 2022, is a kernel-mode rootkit used in targeted attacks against government and critical infrastructure since 2013. The recent discovery by Symantec and the Carbon Black Threat Hunter Team indicates that Daxin is still active, having been found on a compromised host in Taiwan in 2026. This machine, part of a Taiwanese subsidiary of a multinational high-tech company, was also infected with Stupig, a previously unreported backdoor.
The Stupig backdoor disguises itself as a legitimate Microsoft DLL, allowing attackers to execute commands directly from the Windows logon screen without triggering any audit events, providing a stealthy method of intrusion.
Technical Details and Analysis
The Daxin malware utilizes a unique command-and-control approach, avoiding direct network connections. Instead, it monitors incoming TCP traffic for specific patterns and hijacks existing connections for encrypted communications. This method allows it to blend seamlessly with regular network activities, making detection challenging. Furthermore, it supports multi-hop communications, enabling operators to reach isolated network segments.
Stupig achieves persistence by masquerading as a keyboard-layout provider, loaded at system startup. Once active, it monitors for usernames beginning with “stupig” and executes any subsequent commands with SYSTEM privileges. This capability provides attackers substantial control over the compromised system.
Implications and Future Outlook
The resurfacing of Daxin suggests that the cyber espionage operation never fully ceased but rather adapted to maintain a low profile. The combination of Daxin and Stupig, despite having no code-level similarities, implies a coordinated effort by the same threat actor, leveraging complementary functionalities.
This revelation comes as Hunt.io reports other China-linked threat activities using advanced models to automate intrusions against various global targets. The discovery of shared infrastructure and methodologies highlights the ongoing sophistication and persistence of these threat actors.
Understanding and mitigating these threats requires continuous vigilance and the deployment of advanced detection techniques to protect against such stealthy and persistent cyber intrusions.
