13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network


Daxin: 13-Year-Old China-Linked Malware Found Still Active on Manufacturer’s Network

Pierluigi Paganini
July 18, 2026

Researchers found China’s Daxin rootkit and a new Stupig backdoor on a Taiwan firm’s network, suggesting a stealthy intrusion dating back to 2013.

Symantec’s Threat Hunter Team found Daxin running on a compromised host at a Taiwan-based subsidiary of a multinational high-tech manufacturer in 2026. Daxin is a Windows kernel-mode rootkit that Symantec first documented in March 2022, with evidence of use in targeted attacks against governments and critical infrastructure dating back to 2013.

“Backdoor.Daxin, the China-linked kernel-mode rootkit that Symantec first uncovered and exposed in 2022, is still operational.” reads the report published by Symantec. “It was found running on a compromised host in Taiwan in 2026, more than four years after it was first uncovered.”

The same machine also carried a previously unreported backdoor, which the researchers are tracking as Stupig. Both artifacts carry compilation timestamps from early 2013. Telemetry from the machine only started appearing on May 12, 2026. The implication is that this intrusion may have gone undetected for thirteen years.

Neither of these is a new tool in the sense that they were recently written. What’s new is that they’re still in use, still operational, and apparently were never removed from at least this one network. Thirteen years is a long time to be inside someone’s infrastructure without anyone noticing.

Daxin is implemented as a Windows kernel driver, a rare choice for malware authors. The malware implements advanced communication capabilities that allow the attackers to communicate with infected computers on highly secured networks, where direct internet connectivity is not available.

The malware can hide its traffic in normal network traffic on the target’s network and abuse legitimate services already running on the infected computers.

Daxin doesn’t reach out to attacker-controlled servers the way most malware does. Instead, it monitors incoming TCP traffic on the host for specific patterns and hijacks existing legitimate connections to run its encrypted communications, blending in with traffic that’s already there.

“Rather than establishing its own outbound connections, the driver monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections to carry encrypted command-and-control (C&C) traffic.” states Symantec. “This made Daxin exceptionally difficult to identify with conventional network monitoring. “

That multi-hop capability is significant: it means the operator can reach machines that have no direct internet connection by routing commands through a chain of compromised machines that do. Standard network monitoring looking for outbound connections to suspicious destinations would find nothing.

Stupig disguises itself as kbdus1.dll, mimicking the legitimate kbdus.dll file that Windows uses for the U.S. English keyboard layout. It registers itself as a keyboard-layout provider, which causes win32k.sys to load it into winlogon.exe at system startup.

“Backdoor.Stupig is a DLL backdoor that achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup.” the Symantec team explains. “The DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally, giving nothing away to any process or administrator inspecting the loaded module.”

The keyboard works perfectly. Nothing looks wrong. The backdoor is just sitting there, loaded into the Windows login process.

Once it’s running inside winlogon.exe, Stupig watches the Windows login screen for usernames that begin with the string “stupig.” Whatever follows that prefix is treated as a command and executed with SYSTEM privileges, which is the highest level of access on a Windows machine. If someone types the prefix with nothing after it, the backdoor opens a command prompt with SYSTEM privileges directly on the login screen, before any user has authenticated.

“Stupig uses a technique not documented in any known malware family. A Trojanized keyboard-layout DLL loaded by winlogon.exe lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event.” continues the report.

No login event is logged. No audit trail. A defender monitoring authentication logs would see nothing.

The experts still have to discover how the host was originally compromised. The most likely entry point, based on what was found, is an outdated version of the Digiwin single sign-on portal that was running end-of-life Java Development Kit versions 1.5 and 1.6, software from 2009 to 2011. That’s a significant attack surface left exposed on a network belonging to a subsidiary of a multinational manufacturer.

Symantec hasn’t found code-level overlap between Daxin and Stupig, so there’s no technical proof they came from the same development team. What connects them is deployment on the same host, complementary functions, similar development practices, and identical 2013 compile timestamps. One tool handles deep network persistence and covert communications. The other provides pre-authentication SYSTEM access through a mechanism most security teams aren’t monitoring.

“If linked to the same actor, the Stupig backdoor adds a further capability.” concludes the report. “By hiding inside the Windows logon process and registering as a keyboard-layout provider, Stupig gives operators SYSTEM-level command execution and credential theft before a user signs in, an access method most defenders are not aware of nor watching for. Whether the same operators deployed both tools cannot be confirmed, but their functions are complementary.”

The practical upshot for defenders is to add keyboard-layout DLL loading to the list of things worth monitoring, particularly anything being loaded into winlogon.exe at startup that wasn’t there before. The Windows login process is not a place most security teams look for malicious activity, which is precisely why this works.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Daxin rootkit)







Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


There’s a special kind of panic that hits at 11 p.m. on a Tuesday when you Google “can someone sue me personally for my freelance business” and the answer is, technically, yes. I know this because I lived it. For fourteen months, I ran a growing consulting side hustle- invoices, contracts, the whole act- under exactly zero legal structure. I didn’t choose to be a sole proprietor. I just never chose to be anything else, which, it turns out, is the same thing.

The wake-up call came from a client’s offhand comment about “your LLC,” followed by my very convincing silence. That night I fell into a research hole so deep I emerged the next morning having read seventeen tabs on liability shields, self-employment tax, and something called “piercing the corporate veil” that sounded like a phrase from a divorce lawyer’s memoir. So: is a sole proprietorship secretly a ticking time bomb? Is an LLC the adult, responsible choice, or just expensive paperwork with better branding? Let’s actually work through it.

What Is a Sole Proprietorship, Really?

Here’s the part nobody tells you clearly: if you’re earning money from your own business activity and haven’t filed anything with your state, you’re already a sole proprietor. There’s no form to submit, no fee to pay, no ceremony. You and the business are, legally, the same person. That’s the whole structure.

The upside is real. It’s the fastest, cheapest way to start working for yourself — no filing fee, no separate tax return, no annual report to remember. You just start invoicing. The downside is baked into that same simplicity: there’s no legal wall between your business and your personal life. If the business owes money or gets sued, the business is you, so your savings account, your car, and potentially your house are all fair game.

What Does an LLC Actually Protect You From?

A Limited Liability Company creates a separate legal entity- one that can own things, owe things, and get sued, largely independent of you personally. That separation is the entire point of forming one.

It’s worth being honest about the limits, too. An LLC won’t protect you if you personally guarantee a business loan, if you commingle business and personal funds, or if you’re personally negligent — say, you’re a contractor and you cause an injury through your own carelessness. Courts can “pierce the corporate veil” and go after your personal assets anyway if you treat the LLC as a legal fiction rather than a real, separately run entity. The protection is genuine, but it’s not a force field; it’s a structure you have to maintain.

Which One Actually Costs More to Start?

This is where a lot of the fear around LLCs turns out to be overblown, and a lot of the assumed simplicity of sole proprietorships turns out to be incomplete.

Sole Proprietorship LLC
Setup paperwork None required (unless operating under a different name) Articles of Organization filed with your state
State filing fee $0 $35–$500 depending on state (national average is roughly $130)
Ongoing state fees Typically none Many states require an annual report; fees range from $0 to $800+ (California’s franchise tax is the notable outlier)
Separate business bank account Optional Strongly recommended to preserve liability protection
EIN required Only if hiring employees Recommended even for single-member LLCs, to avoid using your SSN

A sole proprietorship is still the cheaper entry point in dollar terms. But “cheaper to start” and “cheaper overall” aren’t the same question — it depends what a lawsuit, a bad debt, or a messy tax season would actually cost you.

How Do Taxes Actually Differ?

This is the part I got wrong for months, assuming an LLC meant a whole new tax regime. It doesn’t, automatically. By default, both a sole proprietorship and a single-member LLC are taxed identically: profits and losses pass through to your personal tax return, and you pay self-employment tax (15.3%, covering Social Security and Medicare) on your net earnings.

The actual tax advantage of an LLC isn’t automatic — it’s optional. A single-member LLC can elect to be taxed as an S-corporation once profits reach a meaningful level, which can reduce self-employment tax by letting you pay yourself a “reasonable salary” and take remaining profit as a distribution not subject to that 15.3%.

That election involves added complexity — payroll processing, additional filings — so it’s rarely worth it for a business bringing in a few thousand dollars a year. It becomes worth asking about once net profit is consistently well into five figures.

Does an LLC Actually Make You Look More Credible?

Here’s a question I didn’t expect to matter as much as it did: does “LLC” after your business name change how people treat you? Anecdotally, yes. Some clients, vendors, and lenders treat an LLC as a signal of seriousness — rightly or not — the way a business bank account or a proper invoice template does. It’s not a guarantee of better contracts, but it removes a small, avoidable hesitation from a prospective client’s mind.

It also matters for banking and financing. Business lenders and some payment processors are more comfortable extending credit to a registered entity with its own EIN and bank account than to an individual operating under their own name.

Do You Still Have to Report “Beneficial Ownership” in 2026?

If you researched this a year or two ago, you may still be carrying around outdated fear about the Corporate Transparency Act’s beneficial ownership information (BOI) reporting rule — the one that threatened steep penalties for LLC owners who didn’t file. Here’s the current state of play: in March 2025, FinCEN issued an interim final rule that removed the BOI reporting requirement for domestic U.S. companies and U.S. persons entirely. As of today, that requirement applies only to foreign entities registered to do business in the U.S. — not to a typical American-owned single-member LLC.

That said, the underlying law hasn’t been repealed, courts have upheld its constitutionality, and FinCEN’s final rule is still pending in 2026, meaning the rule could tighten again with limited notice. A small number of states have also introduced their own versions; New York’s LLC Transparency Act took effect January 1, 2026, but after a late amendment, it applies only to foreign LLCs doing business in New York, not typical in-state LLCs. The short version for most small business owners forming a domestic LLC in their home state: this isn’t currently a filing you need to worry about, but it’s worth a five-minute check-in with a professional if your situation involves foreign ownership or multiple states.

So, Which One Should You Actually Choose?

There isn’t a universally correct answer, but there is a useful set of questions. How much personal risk does your work actually carry — a freelance copywriter has a different exposure profile than someone renovating properties or handling clients’ money. How much profit are you actually generating, since that determines whether the tax flexibility of an LLC is relevant yet. And how much administrative overhead are you willing to take on, since an LLC does require you to actually treat it like a separate entity — separate bank account, its own paperwork, its own discipline.

If you’re testing an idea with minimal financial exposure and low risk of being sued, operating as a sole proprietor while you validate the business is a completely reasonable starting point- you can always convert to an LLC later, and most people do exactly that. If you’re already generating consistent revenue, working with clients under contracts, or doing anything with meaningful liability exposure, the cost of forming an LLC is generally small next to what it protects.

I eventually filed mine on a Wednesday afternoon, paid my state’s filing fee, and felt almost anticlimactic about how undramatic the process actually was compared to the spiral that preceded it. If you’re standing where I was, at least you can skip the 11 p.m. panic-Googling, you already know what the seventeen tabs would have told you.



Source link