A sophisticated malware linked to a Chinese threat actor, known as Daxin, has reemerged after more than four years, targeting a Taiwan manufacturing firm. Alongside Daxin, a newly discovered backdoor called Stupig has been identified. Daxin, a kernel-mode rootkit, was first documented by Symantec in March 2022 and has been used in targeted attacks since 2013. The latest findings by the Symantec and Carbon Black Threat Hunter Team revealed that Daxin was operational on a compromised host in Taiwan in 2026, a system owned by a Taiwan-based subsidiary of a multinational high-tech manufacturer. This machine was also infected with Stupig, a backdoor designed to execute commands directly from the Windows logon screen using a trojanized keyboard layout DLL. The malware's compilation timestamps date back to early 2013, suggesting a long-standing, undetected presence.
Daxin's command-and-control mechanism is noteworthy for its ability to hijack legitimate TCP connections, making it hard to detect through conventional network monitoring. It supports multi-hop communications, reaching isolated network segments. While the exact method of compromise remains unclear, it is suspected to involve an outdated version of a single sign-on portal using an obsolete Java Development Kit. Stupig achieves persistence by masquerading as a keyboard-layout DLL, allowing command execution with SYSTEM privileges before user sign-in.
The discovery underscores the threat actor's capability to maintain stealthy persistence in targeted networks. Although no direct code links exist between Daxin and Stupig, their co-deployment and similar development characteristics suggest they may originate from the same threat actor. This situation highlights the need for vigilance and updated security measures to combat such advanced threats.


