Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor
Backdoor.Daxin, a sophisticated China-linked kernel-mode rootkit first exposed in 2022, was discovered operating on a Taiwan manufacturing firm's network in 2026. The malware was found alongside Backdoor.Stupig, a previously unknown backdoor that uses a novel technique involving a Trojanized keyboard-layout DLL loaded by winlogon.exe, enabling command execution as System from the Windows logon screen without authentication. Both samples carry compile timestamps from early 2013, but the compromised host only began reporting telemetry in May 2026, suggesting a possible 13-year undetected intrusion. The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer. Daxin's defining characteristic is its ability to hijack legitimate TCP connections for command-and-control traffic, making it exceptionally difficult to detect through conventional network monitoring.
Indicators of Compromise
- hash: 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530
- hash: 5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f
Daxin Returns: Stealthy Malware Resurfaces in Taiwan Alongside a New Backdoor
Description
Backdoor.Daxin, a sophisticated China-linked kernel-mode rootkit first exposed in 2022, was discovered operating on a Taiwan manufacturing firm's network in 2026. The malware was found alongside Backdoor.Stupig, a previously unknown backdoor that uses a novel technique involving a Trojanized keyboard-layout DLL loaded by winlogon.exe, enabling command execution as System from the Windows logon screen without authentication. Both samples carry compile timestamps from early 2013, but the compromised host only began reporting telemetry in May 2026, suggesting a possible 13-year undetected intrusion. The victim was a Taiwan-based subsidiary of a multinational high-tech manufacturer. Daxin's defining characteristic is its ability to hijack legitimate TCP connections for command-and-control traffic, making it exceptionally difficult to detect through conventional network monitoring.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.security.com/blog-post/daxin-returns-stupig"]
- Adversary
- null
- Pulse Id
- 6a5775d3b8fe983226594b7c
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 | — | |
hash5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f | — |
Threat ID: 6a58000568715ace438b1881
Added to database: 07/15/2026, 21:47:49 UTC
Last updated: 07/15/2026, 21:47:49 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.