A sophisticated kernel-mode rootkit, Daxin, has resurfaced in Taiwan, co-deployed with a newly identified backdoor named Stupig, both bearing 2013 compilation timestamps. This discovery, made by Symantec and the Carbon Black Threat Hunter Team, points to a long-running, likely state-backed espionage campaign targeting high-tech manufacturers, potentially operating undetected for over a decade by using an undocumented pre-login SYSTEM access technique. This is a severe incident.
What Happened
The primary security event for July 16, 2026, is the reappearance of the advanced Daxin malware, previously linked to a China-backed threat actor, in Taiwan after more than four years of silence. This time, Symantec and Carbon Black Threat Hunter Team found it alongside a previously undocumented backdoor dubbed Stupig. Both malware components shared similar 2013 compilation timestamps, strongly indicating a coordinated, long-term operation.
Stupig is particularly notable for its stealthy method of achieving SYSTEM-level access directly from the Windows logon screen without triggering standard logon audit events. It maintains persistence by registering itself as a keyboard-layout provider, forcing win32k.sys to load it into winlogon.exe at system startup, as detailed by Symantec. The backdoor monitors the logon screen for the specific username "stupig"; if detected, any subsequent string is executed with SYSTEM privileges on the secure desktop. If no command follows, it simply spawns a SYSTEM command prompt. Stupig also hooks SspiCli!LsaLogonUser and Advapi32!CredUnprotectA within winlogon.exe to intercept credentials.
Daxin, identified as srt64.sys, is a Windows kernel-mode rootkit first publicly documented in March 2022 by Symantec. It employs an unusual command-and-control (C2) mechanism, monitoring incoming TCP traffic for specific patterns and hijacking existing legitimate connections for encrypted communications. This allows Daxin to evade detection by blending with normal network activity, avoiding the need to start its own network services. Its relaying capability means it can even interact with machines physically disconnected from the internet.
Why It Matters
The co-deployment of Daxin and Stupig on a single compromised host highlights a highly sophisticated and deeply entrenched espionage operation. The target, a Taiwan-based subsidiary of a multinational high-tech manufacturer, holds strategic value to China, underscoring the political motivations behind this long-running campaign, as reported by The Hacker News. The 2013 compilation timestamps, coupled with the recent discovery, suggest the intrusion may have gone unnoticed for as long as 13 years, demonstrating extreme operational stealth.
Stupig's unique capabilities to gain SYSTEM-level access pre-login without audit logs, combined with Daxin's evasive C2, present a significant challenge for defenders. EDR and SIEM solutions might struggle to flag these activities, especially if auditing isn't configured for deep process monitoring or if network traffic isn't inspected at a granular level. The ability to intercept credentials within winlogon.exe on the secure desktop effectively bypasses many standard endpoint protections and authentication monitoring. This deeply embedded, patient, and persistent threat extends beyond a typical targeted attack.
Affected Scope & Remediation
Organizations, especially those in high-tech manufacturing with strategic ties to geopolitical rivals, should assume they are potential targets for similar persistent threats. While there's no specific CVE or patch for this malware, remediation focuses on detection, hardening, and threat hunting. The suspected initial access vector—an outdated Digiwin single sign-on portal using legacy Java Development Kit versions 1.5 and 1.6—emphasizes that vulnerability management and patching, even for systems perceived as "internal," are critical.
Defenders must proactively inspect unexpected keyboard-layout DLL registrations in HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts and validate all modules loaded by winlogon.exe. This is a critical control point. Investigate failed logons or unusual activity using "stupig"-prefixed names, as this indicates an attacker probing the backdoor. For network monitoring, employ deep packet inspection and netflow analysis to identify unusual TCP traffic patterns or hijacked legitimate connections, even those appearing to be standard protocols. EDR solutions like CrowdStrike Falcon can identify anomalous process activity, API hooks, and suspicious module loads that indicate Stupig or Daxin presence.
| Indicator Type | Description | Detection Strategy |
|---|---|---|
| Stupig Persistence | Unexpected keyboard-layout DLL registrations in HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts or HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\Preload. |
Audit winlogon.exe loaded modules for unusual entries; registry monitoring for changes in these keys; EDR alerts for process injection into winlogon.exe or win32k.sys. |
| Stupig Credential Exfiltration | Hooks on SspiCli!LsaLogonUser and Advapi32!CredUnprotectA within winlogon.exe. |
Memory analysis for unusual API hooks in critical system processes; EDR behavioral rules for credential access attempts. |
| Daxin C2 Communication | Monitoring incoming TCP traffic for specific patterns and hijacking existing legitimate connections for encrypted C2. Avoids starting new network services. | Deep Packet Inspection (DPI) for unusual C2 patterns or payload sizes within legitimate-looking traffic; NetFlow analysis for unusual session durations or data volumes. |
| Stupig SYSTEM Command Prompt | Spawning of cmd.exe or other processes with SYSTEM privileges from winlogon.exe on the secure desktop/logon screen, especially after inputting "stupig" as a username. |
Logon screen activity monitoring; EDR detection of unusual process spawns from winlogon.exe; correlation with Security Event Log ID 4624 (successful logon) not occurring. |
| Initial Access Vector | Presence of outdated public-facing applications, specifically Digiwin SSO portal using Java Development Kit (JDK) versions 1.5 or 1.6. | Regular external vulnerability scanning; asset inventory management to identify legacy applications and unsupported software; patch legacy systems or isolate them. |


Technical Breakdown
Stupig operates as a pre-login backdoor, a rare and potent form of persistence. Its primary trick is using the legitimate Windows mechanism for keyboard layout providers. By registering itself as a DLL in the Keyboard Layouts registry hive, it ensures that win32k.sys loads it into winlogon.exe early in the boot process. This execution context grants it SYSTEM privileges before any user even authenticates. This is like a master key hidden in plain sight, disguised as a normal part of the door's mechanism.
Once loaded, Stupig monitors input on the secure desktop logon screen. If it detects a username starting with "stupig," it treats the subsequent input as a command to be executed, effectively giving attackers SYSTEM-level remote command execution at will. This is a very specific, undocumented trigger. Additionally, the backdoor strategically hooks SspiCli!LsaLogonUser and Advapi32!CredUnprotectA within winlogon.exe. This allows it to silently intercept credentials entered during legitimate logon attempts, enabling further lateral movement or data exfiltration.
Daxin (srt64.sys) is a kernel-mode rootkit, making it extremely difficult to detect and remove. Its command and control (C2) mechanism is a masterclass in stealth. Instead of initiating its own network connections or listening on unusual ports, Daxin monitors all incoming TCP traffic for specific, encrypted patterns. Once it identifies C2 traffic, it hijacks an existing, legitimate TCP connection to relay commands and exfiltrate data. This ensures Daxin traffic blends with regular network activity, bypassing many network-based detection systems that look for new connections or anomalous port usage. The kernel-mode context allows it to operate with absolute privilege, hiding its presence and network activity from user-mode monitoring tools.
This combined attack maps to several MITRE ATT&CK techniques:
- T1547 Boot or Logon Autostart Execution: Stupig's persistence mechanism via keyboard layout providers ensures it's loaded by
winlogon.exeat system startup. - T1003 OS Credential Dumping: Stupig's hooking of
SspiCli!LsaLogonUserandAdvapi32!CredUnprotectAallows it to intercept credentials directly fromwinlogon.exe. - T1071 Application Layer Protocol: Daxin's C2 mechanism, which hijacks existing legitimate TCP connections to blend with normal application-layer traffic.
From a NIST SP 800-53 perspective, this operation highlights weaknesses in AU-6 Audit Record Review Analysis and Reporting due to Stupig's ability to operate without triggering standard logon audit events. It also underscores challenges in SI-4 System Monitoring given both Stupig's low-level hooks and Daxin's evasive C2.
Historical Context
The long-running, state-sponsored espionage campaign using Daxin and Stupig shares similarities with the APT1 report released by Mandiant in 2013. This report detailed years of persistent cyber espionage by a China-backed group targeting a wide range of industries in the West. Like the current Daxin/Stupig campaign, APT1 demonstrated extreme patience, sophisticated custom malware, and a clear strategic objective of intellectual property theft and geopolitical intelligence gathering. Both scenarios involve threat actors deeply embedding themselves into target networks for extended periods.
The level of stealth and the specific techniques employed differ, however. While APT1 relied on custom backdoors and spear-phishing, the Daxin/Stupig duo pushes the envelope with kernel-mode rootkit capabilities and an unprecedented pre-login SYSTEM backdoor. The 13-year potential dwell time for Daxin/Stupig, contrasted with the multi-year campaigns documented in the APT1 report, shows an evolution in persistence and evasion tactics. The undocumented winlogon.exe access technique used by Stupig represents a significant leap in maintaining stealth from an early execution stage, suggesting continuous innovation from the threat actor.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Earliest Malware Compilation | 2013 | Symantec |
| Estimated Undetected Period | 13 years | Symantec |
| Malware Variants Discovered | 2 | The Hacker News |
| Daxin Public Documentation | March 2022 | Symantec |
| Primary Target Location | Taiwan | The Hacker News |
| Threat Actor Attribution | China-backed | Symantec |
The CVEDaily Take
This campaign is a sobering reminder that state-sponsored actors will invest years into developing and deploying highly specialized, low-level malware to achieve their objectives. The fact that Daxin has been lurking for over a decade, paired with the stealthy Stupig, should trigger deep introspection into current threat hunting and incident response capabilities, especially in high-value sectors. We believe the lack of standard audit events for Stupig's SYSTEM access pre-login could mean many organizations are already compromised and don't know it.
How regularly is your team auditing low-level system components like winlogon.exe loaded modules and keyboard layout registrations?
FAQ
Q: What makes Stupig so stealthy in gaining SYSTEM access?
A: Stupig achieves SYSTEM-level access directly from the Windows logon screen by registering itself as a legitimate keyboard-layout provider. This causes win32k.sys to load its DLL into winlogon.exe at system startup, granting it SYSTEM privileges before any user logs on and without generating standard logon audit events.
Q: How does Daxin's C2 mechanism evade detection?
A: Daxin's C2 is stealthy because it doesn't create new network services or listen on unusual ports. Instead, it monitors all incoming TCP traffic for specific, encrypted patterns and then hijacks existing, legitimate TCP connections to conduct its command-and-control communications. This allows its traffic to blend in with normal network activity, making it harder for firewalls and intrusion detection systems to identify.
Q: What are the immediate steps organizations can take to detect or mitigate this threat?
A: Organizations should immediately audit registry keys related to keyboard-layout DLL registrations (e.g., HKLM\SYSTEM\CurrentControlSet\Control\Keyboard Layouts), scrutinize modules loaded by winlogon.exe for unusual entries, and perform deep packet inspection to identify anomalous TCP traffic patterns. Patch all public-facing applications, especially legacy systems running outdated software like old Java Development Kits, to close potential initial access vectors.