Daxin Resurfaces in Taiwan Alongside Stupig, a Novel Pre-Login SYSTEM Backdoor

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region6 min read
Server infrastructure inside a manufacturing facility representing a resurfaced nation state backdoor

Server infrastructure inside a manufacturing facility representing a resurfaced nation state backdoor

More than four years after Symantec first documented it as the most advanced malware ever observed from a China linked actor, Daxin has resurfaced. Symantec and Carbon Black's Threat Hunter Team found it active on a compromised host inside a Taiwan based subsidiary of a multinational high tech manufacturer in May 2026, alongside a previously undocumented backdoor called Stupig that uses a technique not seen in any known malware family.

A rootkit built to hide inside the network itself

Daxin, tracked as srt64.sys, is a Windows kernel mode driver backdoor first uncovered in 2022, with samples traced back to 2013. What made it stand out then, and still does now, is its approach to command and control. Rather than establishing its own outbound connections, which is the behaviour most network monitoring is built to catch, Daxin monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections to carry its own encrypted communications. This lets the backdoor blend directly into normal network traffic rather than standing out as something separate from it. The malware also supports multi hop communication through chains of infected hosts, allowing operators to reach systems that have no direct connection to the internet at all. Symantec has attributed Daxin's use to a China linked espionage group running long term campaigns against governments, telecommunications, transportation, and manufacturing targets considered of strategic interest to China.

A companion backdoor with a genuinely new trick

Found on the same compromised host was Stupig, a backdoor documented for the first time in this investigation. Stupig achieves persistence by registering itself as a keyboard layout provider, which causes win32k.sys to load it directly into winlogon.exe, the core Windows process responsible for the logon screen, at system startup. Because the malicious DLL still returns a valid keyboard layout pointer, the keyboard continues to function normally, and nothing about the loaded module looks unusual to a process list or a routine inspection.

Once running inside winlogon.exe, Stupig watches the Windows logon screen for any username beginning with the string stupig. If an operator types that prefix followed by a command, the backdoor executes it directly as SYSTEM on the secure desktop, before any user has actually signed in. If nothing follows the prefix, it spawns a full SYSTEM level command prompt right on the logon screen instead. The legitimate authentication function is then called unchanged, so the system simply returns a standard failed login response, meaning the only trace left behind is an ordinary failed logon entry under an unusual username, not the kind of anomaly most security teams are actively hunting for. Stupig additionally installs inline hooks that intercept credentials as they pass through the same process, giving operators a second collection method beyond command execution alone.

Thirteen years of possible undetected access

The host where both tools were found had no telemetry on record before 12 May 2026, meaning it had not previously been reporting data at all. Both samples carry compile timestamps from early 2013, weeks apart from each other. While compile timestamps can be altered, researchers assess it is more likely both tools were built within a short window of one another by the same developer, and that this specific host may have been compromised, and quietly accessed, for as long as thirteen years before it became visible again. The most likely initial access point was an outdated Digiwin single sign on portal still running Java Development Kit versions 1.5 and 1.6, both of which reached end of life between 2009 and 2013.

Researchers also observed what may have been an operational security adjustment mid investigation. Stupig first appeared as a.dll and was detected on 28 May 2026. Days later, on 1 June, a renamed copy, kbdus1.dll, appeared inside the System32 directory, a name deliberately chosen to closely resemble kbdus.dll, the legitimate Microsoft library for US English keyboard layouts residing in the same folder. Whether this was a reaction to the first detection, or a redundant backdoor installed from the start that only activated once the primary one was found, remains unconfirmed.

Why this matters beyond one manufacturer

Daxin's resurfacing lands the same week Hunt.io reported a separate, suspected China linked actor using Anthropic's Claude Code alongside DeepSeek's reasoning models to automate intrusions against government and financial targets in Afghanistan, Thailand, Taiwan, and the United States, with Claude Code handling agentic execution and DeepSeek generating attack logic and exploit reasoning. Taken together, the two disclosures point in the same direction: espionage tradecraft against strategically significant manufacturing and government targets is not slowing down, it is layering AI assisted operational tooling on top of techniques, like Daxin's, that have already proven durable enough to persist undetected for over a decade.

For enterprise security teams, and particularly those responsible for identity infrastructure, Stupig is a useful reminder that pre-authentication attack surface deserves the same scrutiny as post-login activity. The technique it uses maps to MITRE ATT&CK's Winlogon Helper DLL persistence category but via a registry loading path not previously documented, which is precisely the kind of gap that sits outside most detection rules tuned to known technique variants. This connects directly to the identity chokepoint risk we detailed in our privileged access research for the GCC: a technique that grants SYSTEM level access before a legitimate user has even authenticated bypasses the entire premise that identity controls only need to matter after login succeeds. It is also a reminder, echoed in our coverage of the 16 year old Linux KVM guest to host escape disclosed earlier this month, that some of the most consequential vulnerabilities and techniques being found in 2026 are not new at all, they are simply long dormant, waiting for the right investigation to surface them.

What to watch for

Organisations running manufacturing, telecommunications, or government adjacent infrastructure, particularly with legacy single sign on or authentication portals still running end of life software components, should treat this disclosure as a prompt to audit for outdated JDK installations and similar unsupported dependencies sitting behind identity infrastructure. Given Daxin's demonstrated ability to reach air gapped or isolated network segments through chained infected hosts, organisations should not assume network segmentation alone provides protection against an actor with this level of persistence and patience.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.