Full Report
Four years after Symantec first uncovered Daxin, the most advanced malware we had seen from a China-linked actor, it has been found running inside a Taiwan manufacturing firm, deployed with a novel new backdoor.
Analysis Summary
# Tool/Technique: Backdoor.Daxin and Backdoor.Stupig
## Overview
This entry covers a pair of sophisticated malware families used by China-linked espionage actors. **Backdoor.Daxin** is an advanced kernel-mode rootkit known for hijacking legitimate network traffic for C2, while **Backdoor.Stupig** is a newly discovered backdoor that leverages a novel Trojanized keyboard-layout DLL technique to gain pre-authentication SYSTEM-level access.
## Technical Details
- **Type:** Malware family (Kernel-mode Rootkit and User-mode Backdoor)
- **Platform:** Windows
- **Capabilities:** Stealthy C2 communication, traffic hijacking, multi-hop proxying, pre-authentication command execution, and persistence.
- **First Seen:** 2013 (per compile timestamps); publicly exposed in 2022; resurfaced in May 2026.
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1547.012 - Boot or Logon Autostart Execution: Device Driver
- T1546 - Event Triggered Execution (Keyboard Layout hijacking)
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation
- T1055 - Process Injection (via Winlogon)
- **TA0005 - Defense Evasion**
- T1014 - Rootkit
- T1140 - Deobfuscate/Decode Files or Information
- T1070.004 - Indicator Removal on Host: File Deletion
- **TA0011 - Command and Control**
- T1205 - Traffic Signaling (Connection Hijacking)
- T1090.003 - Proxy: Multi-hop Proxy
## Functionality
### Core Capabilities
- **Daxin (Network Stealth):** Does not initiate outbound connections. It monitors kernel-level TCP traffic for specific "trigger" patterns and hijacks existing legitimate sessions to tunnel encrypted C2 traffic.
- **Stupig (Access):** Functions as a Trojanized keyboard-layout DLL (`kbdus1.dll`). It is loaded by `winlogon.exe` and allows attackers to execute commands as **SYSTEM** directly from the logon screen.
- **Persistence:** Daxin operates as a signed kernel-mode driver (`srt64.sys`), while Stupig masquerades as a legitimate system library (`kbdus.dll`) to evade casual inspection.
### Advanced Features
- **Multi-hop Communications:** Daxin can relay commands through a chain of infected nodes, allowing operators to reach air-gapped or isolated internal segments.
- **Pre-Authentication Execution:** Stupig provides command execution and credential theft capabilities before any user signs in, bypassing standard logon audit events.
- **Traffic Hijacking:** Daxin’s ability to "piggyback" on legitimate traffic makes it nearly invisible to traditional network defense tools and firewalls.
## Indicators of Compromise
- **File Hashes:**
- **Daxin:** `49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530` (srt64.sys)
- **Stupig:** `5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f` (a.dll / kbdus1.dll)
- **File Names:**
- `%SystemRoot%\System32\drivers\srt64.sys`
- `%SystemRoot%\System32\kbdus1.dll`
- `a.dll`
- **Behavioral Indicators:**
- `winlogon.exe` loading non-standard keyboard layout DLLs.
- Presence of kernel-mode drivers with 2013 timestamps in modern environments.
- Anomalous CPU spikes in kernel-mode network processing without corresponding outbound traffic.
## Associated Threat Actors
- China-linked espionage groups (Specific attribution to a named group like APT27 or APT41 is often suggested but Broadcom refers to them as "China-linked actor").
## Detection Methods
- **Signature-based detection:** Scanning for the specific SHA256 hashes of the driver and DLL.
- **Behavioral detection:** Monitoring for the registration of new keyboard layouts in the registry and unexpected DLL loads by the Winlogon process.
- **Network Analysis:** Inspecting TCP packets for non-standard headers or anomalies in legitimate application traffic (Deep Packet Inspection).
## Mitigation Strategies
- **Patching:** Ensure all web-facing portals (e.g., Digiwin, Java environments) are updated; the 2026 breach leveraged JDK versions from 2009.
- **Driver Signing Policy:** Enforce strict Windows Driver Signature Enforcement (DSE) to prevent the loading of suspicious or revoked drivers.
- **Least Privilege:** Limit administrative rights to prevent the installation of kernel-mode drivers and system-level DLLs.
- **Audit:** Regularly audit the `%SystemRoot%\System32\` directory for unauthorized DLLs, specifically those mimicking legitimate keyboard layouts.
## Related Tools/Techniques
- **Rootkits:** Similar to other advanced Chinese kernels-mode backdoors like *Derusbi*.
- **Passive Backdoors:** Similar in concept to *Bvp47* or other "B-side" communication tools that wait for incoming triggers rather than calling home.