BTC $71,807
2026 Bull Run Is Building Start trading with 5% OFF all fees
Sign Up Now
BTC $71,807
Bull Run 2026 | 5% Off Fees Open your Binance account today
Sign Up

Daxin malware resurfaces with Stupig backdoor in Taiwan attack

Dormant rootkit Daxin resurfaces with novel Stupig backdoor after 13 years undetected.

  • The Daxin kernel-mode rootkit, dormant for over four years, has resurfaced on a compromised host at a Taiwan-based manufacturing subsidiary alongside a new backdoor called Stupig.
  • Both malware artifacts carry compilation timestamps from early 2013, suggesting the attack may have gone undetected for 13 years.
  • Stupig uses a novel technique by registering as a keyboard-layout provider, enabling SYSTEM-level command execution from the Windows logon screen before any user signs in.

A sophisticated kernel-mode rootkit known as Daxin, first documented by Symantec in March 2022, has resurfaced after more than four years inside a Taiwan-based subsidiary of a multinational high-tech manufacturer. The same compromised machine also harbored a previously unreported backdoor called Stupig, according to findings from the Symantec and Carbon Black Threat Hunter Team.

- Advertisement -

Both artifacts carry a compilation timestamp from early 2013, although the machine did not begin reporting telemetry until May 12, 2026. “The malware also supported multi-hop communications through chains of infected hosts, allowing operators to reach systems on isolated network segments,” Broadcom noted.

Daxin avoids direct outbound connections by monitoring incoming TCP traffic for specific patterns and hijacking existing legitimate connections for encrypted command-and-control. Stupig achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup.

“Stupig uses a technique not documented in any known malware family,” the cybersecurity arm of Broadcom said. A trojanized keyboard-layout DLL lets an attacker run commands as System directly from the Windows logon screen before anyone signs in.

The host may have been compromised through an outdated version of the Digiwin single sign-on portal using end-of-life Java Development Kit installations. The discovery shows the cyber espionage operation never completely stopped but instead maintained stealthy persistence in targeted networks.

- Advertisement -

Meanwhile, Hunt.io observed a suspected China-linked threat actor using Anthropic Claude Code and DeepSeek models to automate intrusions against government and financial systems. “Claude Code serves as the execution engine, managing agentic tool use, bash command execution, session persistence, and task parallelization,” the threat intelligence firm said.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

- Advertisement -
Ad
Altseason Is Loading. Don't watch from the sidelines.
SOL $90.51
DOGE $0.0963
LINK $9.02
SUI $1.00
5% off fees when you sign up
Start Trading
Ad
Pay Less on Every Trade. For Life.
$10K/mo volume Save $60/yr
$50K/mo volume Save $300/yr
$100K/mo volume Save $600/yr
5% off all trading fees when you sign up
Claim Your Discount

Latest News

Florida man arrested for crypto-stealing malware in video games

Federal agents arrested 21-year-old Zyaire Wilkins of North Lauderdale, Florida, accused of helping run...

US Senate unanimously opposes clemency for FTX’s Bankman-Fried

The US Senate unanimously adopted a nonbinding resolution opposing executive clemency for former FTX...

Zoom Patches Critical Account Takeover Flaw in Windows Clients

Zoom released a critical security update for a flaw (CVE-2026-53412, CVSS 9.8) that could...

BlackRock CEO Bullish on Bitcoin, Dismisses Leverage Fears

BlackRock CEO Larry Fink states he is not concerned about excessive leverage in Bitcoin...

Trump to meet senators on crypto market bill progress

President Donald Trump will meet with senators Thursday to discuss the CLARITY Act, the...

Must Read

Top 5 Testing Tools For Blockchain Applications in 2022

Blockchain apps have been adopted popularly by some prominent industries due to its being a decentralized-designed technology. Furthermore, these apps eliminate the risks that...
Ad
Altseason Is Loading. These 4 coins are trending right now.
SOL $92.12
DOGE $0.0950
LINK $9.02
SUI $1.02
5% off spot fees when you sign up
Start Trading