Close Menu
    What's Hot

    The dangers of investor fatalism

    Today on Sky Sports Racing: Arapaho Gold chases Newbury hat-trick with Wolverhampton also live on Friday | Racing News

    Cyclospora Linked to Taylor Farms Lettuce Sent to Taco Bell

    Facebook X (Twitter) Instagram
    Trending
    • The dangers of investor fatalism
    • Today on Sky Sports Racing: Arapaho Gold chases Newbury hat-trick with Wolverhampton also live on Friday | Racing News
    • Cyclospora Linked to Taylor Farms Lettuce Sent to Taco Bell
    • China rebukes UK over nationalisation of British Steel | News
    • How Andy Burnham Becomes Britain’s New Prime Minister
    • He Was a Russian Political Survivor, Until the Masked Men Appeared
    • Do Face Masks Help With Wildfire Smoke? Yes, But More Is Needed
    • Investors say BoE should slow or stop long-dated bond sales
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

    adminBy adminJuly 17, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

    An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig.

    Daxin (“srt64.sys”), as the kernel-mode rootkit is referred to, was first documented by Broadcom-owned Symantec in March 2022, with evidence indicating its use in targeted attacks aimed at governments and other critical infrastructure targets since 2013.

    The latest findings from the Symantec and Carbon Black Threat Hunter Team show that Daxin is still operational, after it was found running on a compromised host in Taiwan in 2026. The same machine, belonging to a Taiwan-based subsidiary of a multinational high-tech manufacturer, is also said to have been infected with Stupig (“a.dll” or “kbdus1.dll”). The file name is an attempt to masquerade as “kbdus.dll,” a legitimate Microsoft DLL associated with the U.S. English keyboard layout.

    “Stupig uses a technique not documented in any known malware family,” the cybersecurity arm of Broadcom said. “A trojanized keyboard-layout DLL loaded by ‘winlogon.exe’ lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.”

    What makes the intrusion stand out is that both the artifacts carry a compilation timestamp from early 2013, although the compromised machine did not begin reporting telemetry until May 12, 2026. Given the threat actor’s ability to stay undetected for extended periods of time, it’s suspected that the attack may have gone unnoticed for 13 years.

    Cybersecurity

    No code-level overlaps have been identified between Daxin and Stupig, although their co-deployment on the same host, coupled with complementary functions, similarities in development practices, and the 2013 compile timestamps, suggest that they may have been the work of the same threat actor.

    Daxin has an unusual approach to command-and-control. Rather than directly establishing outbound connections with attacker-controlled infrastructure, the Windows kernel-mode driver backdoor monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for encrypted C2 communications so as to blend in with regular activity. It’s equipped to interact with machines that are physically disconnected from the internet.

    “This made Daxin exceptionally difficult to identify with conventional network monitoring,” Broadcom noted. “The malware also supported multi-hop communications through chains of infected hosts, allowing operators to reach systems on isolated network segments.”

    Exactly how and when the host was compromised remains unknown, but it’s suspected to be an outdated version of the Digiwin single sign-on (SSO) portal that was using end-of-life Java Development Kit (JDK) 1.5 and 1.6 installations going back to 2009 to 2011.

    “Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup,” the threat hunter team explained. “The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module.”

    Once it starts running inside “winlogon.exe,” it keeps an eye out for usernames beginning with the string “stupig” in the Windows logon screen. When the username is entered, any string that follows the prefix is interpreted as a command and executed with SYSTEM privileges. If no command is entered after the prefix, it spawns a command prompt session as SYSTEM on the logon screen.

    The discovery of Daxin in 2026 shows that the cyber espionage operation never completely stopped. Rather, it went quiet, maintaining stealthy persistence in targeted networks.

    Cybersecurity

    “By hiding inside the Windows logon process and registering as a keyboard-layout provider, Stupig gives operators SYSTEM-level command execution and credential theft before a user signs in, an access method most defenders are not aware of nor watching for,” Symantec and Carbon Black said. “Whether the same operators deployed both tools cannot be confirmed, but their functions are complementary.”

    The disclosure comes as Hunt.io said it observed a suspected China-linked threat actor using Anthropic Claude Code and DeepSeek models to automate intrusions against government and financial systems in Afghanistan, Thailand, Taiwan, and the U.S. The discovery is based on an open directory (“112.213.124[.]132”) that has been found to share identical HTTP header fingerprints with known TencShell command-and-control (C2) infrastructure.

    “They handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials,” the threat intelligence firm said.

    “Claude Code serves as the execution engine, managing agentic tool use, bash command execution, session persistence, and task parallelization. DeepSeek-v4-pro operates as the underlying reasoning model, handling attack logic, script generation, and decision-making. In short, offensive logic is routed through a Chinese domestic LLM while leveraging Anthropic’s agentic execution infrastructure.”

    Backdoor Daxin PreLogin resurfaces Stupig system Taiwan
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous Article21 leaders on making cross-functional collaboration work
    Next Article New Prime Minister Faces Old Problems: How to Make Britain’s Economy Grow
    admin
    • Website

    Related Posts

    New Agent Data Injection Attack Can Make AI Agents Misclick or Run Attacker Commands

    July 17, 2026

    20+ Hijacked Government Websites Became
an Attack Channel

    July 16, 2026

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    The dangers of investor fatalism

    Today on Sky Sports Racing: Arapaho Gold chases Newbury hat-trick with Wolverhampton also live on Friday | Racing News

    Cyclospora Linked to Taylor Farms Lettuce Sent to Taco Bell

    China rebukes UK over nationalisation of British Steel | News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by