China-Linked Daxin Malware Resurfaces with New 'Stupig' Backdoor, Evading Detection for Years
A sophisticated, China-linked malware known as **Daxin** has re-emerged after a four-year hiatus, discovered within a Taiwanese manufacturing firm. This resurgence comes with the unveiling of a previously unknown backdoor, **Stupig**, highlighting the persistent and stealthy nature of advanced persistent threat (APT) groups.
An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed **Stupig**.
**Daxin** ("srt64.sys"), a kernel-mode rootkit, was first documented by **Broadcom**-owned **Symantec** in March 2022. Evidence indicated its use in targeted attacks aimed at governments and critical infrastructure since 2013.
The latest findings from the **Symantec** and **Carbon Black Threat Hunter Team** show that **Daxin** is still operational, having been found running on a compromised host in Taiwan in 2026. The same machine, belonging to a Taiwan-based subsidiary of a multinational high-tech manufacturer, was also infected with **Stupig** ("a.dll" or "kbdus1.dll"). This file name attempts to masquerade as "kbdus.dll," a legitimate **Microsoft** DLL associated with the U.S. English keyboard layout.
"**Stupig** uses a technique not documented in any known malware family," the cybersecurity arm of **Broadcom** stated. "A trojanized keyboard-layout DLL loaded by 'winlogon.exe' lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event."
What makes this intrusion stand out is that both artifacts carry a compilation timestamp from early 2013, although the compromised machine did not begin reporting telemetry until May 12, 2026. Given the threat actor's ability to stay undetected for extended periods, it's suspected that the attack may have gone unnoticed for 13 years.
No code-level overlaps have been identified between **Daxin** and **Stupig**. However, their co-deployment on the same host, coupled with complementary functions, similarities in development practices, and the 2013 compile timestamps, suggest they may be the work of the same threat actor.
**Daxin** employs an unusual approach to command-and-control. Rather than directly establishing outbound connections, the Windows kernel-mode driver backdoor monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for encrypted C2 communications. This allows it to blend in with regular activity and interact with machines physically disconnected from the internet.
"This made **Daxin** exceptionally difficult to identify with conventional network monitoring," **Broadcom** noted. "The malware also supported multi-hop communications through chains of infected hosts, allowing operators to reach systems on isolated network segments."

Exactly how and when the host was compromised remains unknown, but it's suspected to be an outdated version of the **Digiwin** single sign-on (SSO) portal. This portal was using end-of-life **Java Development Kit (JDK)** 1.5 and 1.6 installations dating back to 2009 to 2011.
"**Stupig** is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup," the threat hunter team explained. "The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module."
Once running inside "winlogon.exe," it monitors for usernames beginning with the string "stupig" in the Windows logon screen. When this username is entered, any string following the prefix is interpreted as a command and executed with SYSTEM privileges. If no command is entered after the prefix, it spawns a command prompt session as SYSTEM on the logon screen.
The discovery of **Daxin** in 2026 shows that the cyber espionage operation never completely stopped. Rather, it went quiet, maintaining stealthy persistence in targeted networks.
"By hiding inside the Windows logon process and registering as a keyboard-layout provider, **Stupig** gives operators SYSTEM-level command execution and credential theft before a user signs in, an access method most defenders are not aware of nor watching for," **Symantec** and **Carbon Black** said. "Whether the same operators deployed both tools cannot be confirmed, but their functions are complementary."
This disclosure comes as **Hunt.io** observed a suspected China-linked threat actor using **Anthropic Claude Code** and **DeepSeek** models to automate intrusions against government and financial systems in Afghanistan, Thailand, Taiwan, and the U.S. This discovery is based on an open directory ("112.213.124[.]132") that shares identical HTTP header fingerprints with known **TencShell** command-and-control (C2) infrastructure.
"They handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials," the threat intelligence firm stated.
"**Claude Code** serves as the execution engine, managing agentic tool use, bash command execution, session persistence, and task parallelization. **DeepSeek-v4-pro** operates as the underlying reasoning model, handling attack logic, script generation, and decision-making. In short, offensive logic is routed through a Chinese domestic LLM while leveraging **Anthropic**'s agentic execution infrastructure."