Advertisement
Security

Daxin Malware Returns via Stealth Portal

A legacy rootkit reappears in Taiwan alongside a sophisticated new backdoor that executes commands from the Windows logon screen.

··3 hours ago·2 min read
Servers illuminate a futuristic cityscape with a data center.
Photo by Markus Stickling on Unsplash
Advertisement

The resurgence of a sophisticated, China-linked cyber espionage tool serves as a stark reminder that digital threats often possess a shelf life far longer than industry observers anticipate. After vanishing from the active landscape, the Daxin malware has been identified within the network of a Taiwanese high-tech manufacturer, signaling that long-term persistence remains a primary objective for advanced persistent threats.

A Legacy Tool in New Hands

Daxin, a kernel-mode rootkit, was first documented by security researchers in 2022 but carries a lineage of activity reaching back over a decade. Its return to the operational theatre, found on a machine that began transmitting telemetry in 2026, highlights the difficulty of purging deep-seated intrusions from complex critical infrastructure environments.

The Stupig Pre-Login Backdoor

Accompanying the rootkit is a previously unidentified backdoor referred to as Stupig. This tool represents a highly innovative approach to system exploitation, effectively subverting the Windows login process before a user even enters their credentials.

Stupig uses a technique not documented in any known malware family. A trojanized keyboard-layout DLL loaded by 'winlogon.exe' lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.

— Broadcom, the cybersecurity arm of the firm that identified the threat.

By masquerading as a legitimate keyboard layout file, the malware remains invisible to routine administrative audits. When a specific string is entered into the username field at the logon prompt, the system interprets the subsequent input as a command, executing it with full SYSTEM privileges.

Vulnerabilities and Historical Data

The persistence of these threats is underscored by several critical metrics and findings:

  • Initial compilation timestamps for both Daxin and Stupig date back to 2013.
  • The compromised system in Taiwan first reported telemetry data on May 12, 2026.
  • The intrusion is suspected to be tied to an outdated Digiwin single sign-on (SSO) portal running vulnerable Java Development Kit versions from as early as 2009.

The infection vector points toward the risks inherent in maintaining legacy software. The use of deprecated development kits provided a gateway for attackers to plant tools that could potentially remain undetected for up to 13 years.

Implications for Security Posture

For organizations, the presence of these tools necessitates a shift in how they monitor for unauthorized access. The ability of Stupig to function during the pre-authentication phase means that traditional monitoring, which often starts tracking after a user session begins, is insufficient. Defending against such threats requires visibility into the Windows logon process and a more stringent approach to patching external-facing portals. As threat actors continue to integrate new automation technologies, such as LLMs, to refine their offensive capabilities, the window for defenders to identify and neutralize these stealthy, long-term compromises continues to shrink.

#cyber espionage#malware#windows security#rootkit#threat intelligence

Xploitwire Editorial Team

Xploitwire Newsroom

This article was researched and drafted with AI assistance and reviewed by our editorial team before publication. About Xploitwire →

← Back to all stories
Advertisement