Full Report
An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig. Daxin ("srt64.sys"), as the kernel-mode rootkit is referred to, was first documented by Broadcom-owned Symantec in March 2022, with evidence indicating its use in targeted attacks aimed
Analysis Summary
# Threat Actor: China-linked Actor (Daxin/Stupig Operator)
## Attribution & Identity
* **Identification:** A China-linked threat actor.
* **Aliases:** None specifically named in the text, though the activity is tied to the "Daxin" malware family.
* **Known Associations:** Linked to targeted attacks documented by Symantec since 2013.
## Activity Summary
The actor has resurfaced in 2026 after remaining undetected for potentially 13 years. The recent campaign involved the compromise of a Taiwan-based manufacturing firm using the Daxin rootkit alongside a newly discovered backdoor named Stupig. The tools involved carry compilation timestamps from 2013, suggesting a long-standing, persistent espionage engagement that remained operational despite being publicly documented in 2022.
## Tactics, Techniques & Procedures
* **Persistence via Keyboard Layout:** Registers as a keyboard-layout provider to have `win32k.sys` load the backdoor into `winlogon.exe` at system startup.
* **Pre-Login Execution:** Executes commands with SYSTEM privileges directly from the Windows logon screen before user authentication.
* **Stealth Login Bypass:** Monitors the username field for a specific string ("stupig"); entering this prefix triggers the malware to execute subsequent strings as commands or spawn a SYSTEM shell.
* **Traffic Hijacking:** Monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for C2, bypassing outbound firewall rules.
* **Multi-hop Communications:** Supports daisy-chaining infected hosts to reach isolated or air-gapped network segments.
* **Defense Evasion:** Uses kernel-mode rootkits (`srt64.sys`) to hide presence and masquerades as legitimate Microsoft DLLs (e.g., naming a file `kbdus1.dll` to mimic `kbdus.dll`).
* **Vulnerability Exploitation:** Suspected exploitation of outdated software, specifically the Digiwin SSO portal running end-of-life JDK 1.5/1.6.
**MITRE ATT&CK IDs (Inferred):**
* T1014 (Rootkit)
* T1547.012 (Boot or Logon Autostart Execution: Device Driver and Registry Organization)
* T1134 (Access Token Manipulation)
* T1021.002 (Remote Services: SMB/Windows Admin Shares)
* T1573 (Encrypted Channel)
## Targeting
* **Sectors:** Manufacturing (High-tech), Government, Critical Infrastructure, Financial Systems.
* **Geography:** Taiwan, Afghanistan, Thailand.
* **Victims:** A Taiwan-based subsidiary of a multinational high-tech manufacturer; unidentified government and financial entities.
## Tools & Infrastructure
* **Daxin ("srt64.sys"):** An advanced kernel-mode rootkit/backdoor used for stealthy long-term access.
* **Stupig ("a.dll" / "kbdus1.dll"):** A trojanized keyboard-layout DLL that provides SYSTEM-level access at the logon screen.
* **Infrastructure:** Uses hijacked legitimate TCP connections rather than dedicated C2 domains.
* **Generative AI:** Recent reports indicate the use of **Anthropic Claude Code** and **DeepSeek** models to automate intrusions.
## Implications
The actor demonstrates extreme patience and technical sophistication, capable of maintaining persistence for over a decade within a single target. The ability to execute commands at the `winlogon` stage—bypassing audit events and user authentication—presents a significant challenge for traditional Security Operations Centers (SOCs). The actor's shift toward incorporating AI tools like DeepSeek suggests a transition toward more automated and accelerated attack lifecycles.
## Mitigations
* **Registry Monitoring:** Monitor for unauthorized changes to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts` or any unexpected DLLs registered as keyboard providers.
* **Process Auditing:** Closely monitor the `winlogon.exe` process for anomalous modules or child processes (like `cmd.exe`) spawning before a user has successfully authenticated.
* **Legacy Software Retirement:** Decommission or isolate systems running end-of-life Java Development Kits (JDK 1.5/1.6) and outdated web portals (e.g., Digiwin SSO).
* **Network Behavior Analysis:** Look for unusual TCP traffic patterns that deviate from standard application protocols, which may indicate Daxin's connection hijacking.
* **Rootkit Detection:** Employ advanced EDR solutions capable of detecting kernel-mode driver loading and integrity violations.