Published on July 16, 2026

China-Linked Daxin Malware Resurfaces in Taiwan Alongside New Stupig Pre-Login SYSTEM Backdoor


Severity
Medium

Detail

Security researchers have identified the re-emergence of Daxin, a sophisticated China-linked kernel-mode rootkit, alongside a newly discovered Windows backdoor named Stupig within the network of a Taiwan-based subsidiary of a multinational high-tech manufacturing company.

Daxin was first publicly documented in 2022 but has been associated with cyber espionage campaigns targeting governments and critical infrastructure since 2013. The latest discovery indicates that the malware remains active and capable of maintaining long-term persistence within compromised environments.

Researchers also uncovered Stupig, a previously undocumented DLL backdoor that allows attackers to execute commands with SYSTEM privileges directly from the Windows logon screen before any user authentication occurs. This technique enables attackers to maintain stealthy access while bypassing many traditional security monitoring mechanisms.

Although no direct code similarities were identified between Daxin and Stupig, their deployment on the same compromised host, similar development characteristics, and identical 2013 compilation timestamps suggest they may have been developed by the same threat actor.

How?

The initial compromise is believed to have originated from an outdated Digiwin Single Sign-On (SSO) portal running unsupported Java Development Kit (JDK) versions, although the exact infection method remains unconfirmed.

After compromising the system, the attackers deployed multiple malware components with complementary capabilities:

  • Daxin installs as a Windows kernel-mode rootkit and monitors legitimate TCP network traffic for specific communication patterns.
  • Instead of creating new outbound connections, Daxin hijacks existing legitimate network sessions to establish encrypted command-and-control (C2) communications, making detection significantly more difficult.
  • Daxin also supports multi-hop communications, allowing attackers to access systems located within isolated or segmented networks.
  • Stupig achieves persistence by registering itself as a malicious keyboard-layout DLL, causing Windows to load it into the winlogon.exe process during system startup.
  • At the Windows logon screen, Stupig monitors for usernames beginning with the prefix “stupig”. Any text entered after the prefix is interpreted as a command and executed with SYSTEM privileges before user authentication.
  • If no command is provided, Stupig launches a SYSTEM-level command prompt directly from the logon screen, enabling attackers to perform privileged operations or steal credentials without requiring a user to sign in.

The combination of stealthy persistence, pre-authentication execution, and covert command-and-control communications enables attackers to maintain long-term unauthorized access while avoiding conventional detection methods.

Recommendations

Organizations should:

  • Ensure all internet-facing applications, including Single Sign-On (SSO) services, are fully patched and supported.
  • Remove unsupported software versions, particularly end-of-life Java Development Kit (JDK) installations.
  • Monitor systems for unauthorized keyboard-layout DLL registrations and unusual modules loaded by winlogon.exe.
  • Inspect Windows startup processes for unknown or suspicious DLLs masquerading as legitimate Microsoft files.
  • Implement Endpoint Detection and Response (EDR) solutions capable of detecting kernel-level threats and rootkits.
  • Monitor network traffic for anomalous encrypted communications and lateral movement across segmented networks.
  • Regularly review privileged account activity and Windows logon events for signs of unauthorized access.

Conduct threat hunting activities to identify indicators associated with Daxin and Stupig and isolate affected systems immediately if detected.

Source
https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html