Daxin Malware Returns via Stealth Portal
A legacy rootkit reappears in Taiwan alongside a sophisticated new backdoor that executes commands from the Windows logon screen.
The resurgence of a sophisticated, China-linked cyber espionage tool serves as a stark reminder that digital threats often possess a shelf life far longer than industry observers anticipate. After vanishing from the active landscape, the Daxin malware has been identified within the network of a Taiwanese high-tech manufacturer, signaling that long-term persistence remains a primary objective for advanced persistent threats.
A Legacy Tool in New Hands
Daxin, a kernel-mode rootkit, was first documented by security researchers in 2022 but carries a lineage of activity reaching back over a decade. Its return to the operational theatre, found on a machine that began transmitting telemetry in 2026, highlights the difficulty of purging deep-seated intrusions from complex critical infrastructure environments.
The Stupig Pre-Login Backdoor
Accompanying the rootkit is a previously unidentified backdoor referred to as Stupig. This tool represents a highly innovative approach to system exploitation, effectively subverting the Windows login process before a user even enters their credentials.
Stupig uses a technique not documented in any known malware family. A trojanized keyboard-layout DLL loaded by 'winlogon.exe' lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.
— Broadcom, the cybersecurity arm of the firm that identified the threat.
By masquerading as a legitimate keyboard layout file, the malware remains invisible to routine administrative audits. When a specific string is entered into the username field at the logon prompt, the system interprets the subsequent input as a command, executing it with full SYSTEM privileges.
Vulnerabilities and Historical Data
The persistence of these threats is underscored by several critical metrics and findings:
- Initial compilation timestamps for both Daxin and Stupig date back to 2013.
- The compromised system in Taiwan first reported telemetry data on May 12, 2026.
- The intrusion is suspected to be tied to an outdated Digiwin single sign-on (SSO) portal running vulnerable Java Development Kit versions from as early as 2009.
The infection vector points toward the risks inherent in maintaining legacy software. The use of deprecated development kits provided a gateway for attackers to plant tools that could potentially remain undetected for up to 13 years.
Implications for Security Posture
For organizations, the presence of these tools necessitates a shift in how they monitor for unauthorized access. The ability of Stupig to function during the pre-authentication phase means that traditional monitoring, which often starts tracking after a user session begins, is insufficient. Defending against such threats requires visibility into the Windows logon process and a more stringent approach to patching external-facing portals. As threat actors continue to integrate new automation technologies, such as LLMs, to refine their offensive capabilities, the window for defenders to identify and neutralize these stealthy, long-term compromises continues to shrink.
Continue Reading
Critical Remote Code Execution Flaw Discovered in SetParameter Command
A critical vulnerability identified as CVE-2023-49900 allows unauthenticated remote attackers to execute arbitrary code due to improper input sanitization.
CISA Adds KNX Protocol Connection Authorization Flaw to KEV Catalog
A critical account lockout vulnerability in the KNX Protocol Connection Authorization Option 1 is currently being exploited in the wild.
CISA Adds Actively Exploited Oracle E-Business Suite Flaw to KEV
An improper privilege management vulnerability in Oracle E-Business Suite is currently being exploited in the wild, risking full takeover of Oracle Payments.