A recently resurfaced Windows backdoor, linked to prior Chinese cyber activity, has been unveiled alongside Daxin, an advanced spying tool. This backdoor enables attackers to type a specific username at the Windows login screen to potentially access a command shell with maximum system privileges.
Discovery of the Backdoor
This covert mechanism was found on a compromised computer at a Taiwanese subsidiary of a global tech company. Investigators suspect the initial breach exploited an outdated Digiwin single sign-on portal that used Java Development Kit versions from 2009 to 2011. This target holds strategic significance for Chinese interests.
Symantec researchers, during a May 2026 investigation, identified both Daxin and the newly recognized Backdoor.Stupig on the same system. According to a report shared with Cyber Security News, this pairing suggests a prolonged espionage operation, though a direct code link between the two has not been confirmed.
How the Backdoor Functions
The backdoor is particularly concerning because it operates before a typical user session begins, an area where many organizations have limited oversight. It grants attackers SYSTEM-level command execution, Windows’ most powerful local account, allowing potential interception of credentials during the login process. Its integration with trusted Windows components makes detection by routine endpoint checks challenging.
Backdoor.Stupig masquerades as part of Windows keyboard support rather than a traditional remote-access tool. It registers as a keyboard-layout provider, causing Windows to load a malicious DLL into winlogon.exe at startup, while returning normal keyboard data to maintain the appearance of regular operation.
Implications and Recommendations
Once active, the backdoor monitors login attempts for usernames starting with ‘stupig’. Entering this prefix alone triggers a SYSTEM command prompt; additional text is executed with the same level of access, followed by a typical failed login response. This stealthy method makes it difficult for defenders to detect the creation of a privileged shell.
Stupig also compromises Windows functions during authentication, capturing data within winlogon.exe. A reference to a companion file named ‘msyun.dll’ was found, but the payload was not recovered. Symantec notes that Stupig does not match any known malware family, highlighting the importance of scrutinizing unfamiliar authentication modules.
Daxin, initially exposed in 2022 with samples dating back to 2013, employs a kernel-level backdoor strategy. It monitors inbound TCP traffic for specific patterns, taking over legitimate connections to transmit encrypted commands, blending malicious activity with normal network traffic. Daxin’s ability to bridge isolated network areas complicates conventional monitoring efforts.
Future Outlook and Security Measures
Defenders are advised to update unsupported Java installations and review exposed single sign-on systems, especially older Digiwin versions. Examining keyboard-layout registrations and DLLs loaded by winlogon.exe, investigating failed logins using unusual ‘stupig’ prefixes, and hunting for related indicators across Windows systems is crucial. Systems lacking historical telemetry should be reviewed to identify dormant threats, emphasizing the need for thorough validation of legacy assets.
Key indicators of compromise include specific SHA-256 hashes and filenames associated with Backdoor.Daxin and Backdoor.Stupig. Security teams should take immediate action to address these vulnerabilities, ensuring robust protection against ongoing threats.
