Daxin Malware Resurfaces in Taiwan with New Stupig Backdoor

The sophisticated malware known as Daxin has reemerged within a Taiwanese manufacturing firm, accompanied by a previously unidentified backdoor named Stupig. This discovery underscores the persistent and evolving nature of cyber threats linked to state-sponsored actors.

Daxin, a kernel-mode rootkit, was first documented in March 2022, with evidence of its use in targeted attacks dating back to 2013. The malware is notable for its stealthy command-and-control (C2) capabilities, allowing it to hijack legitimate TCP connections and communicate covertly. This method enables Daxin to blend seamlessly into normal network traffic, making detection exceedingly difficult. Additionally, Daxin supports multi-hop communications, facilitating access to isolated network segments.

In May 2026, security researchers identified Daxin operating on a compromised host within a Taiwan-based subsidiary of a multinational high-tech manufacturer. Alongside Daxin, they discovered Stupig, a backdoor employing a novel technique for pre-authentication code execution. Stupig masquerades as a legitimate keyboard-layout DLL, allowing attackers to execute commands with SYSTEM privileges directly from the Windows logon screen, without triggering standard logon audit events.

Both Daxin and Stupig carry compilation timestamps from early 2013. Despite these dates, the compromised machine did not report telemetry until May 2026, suggesting that the intrusion may have remained undetected for 13 years. While no direct code-level connection between Daxin and Stupig has been established, their simultaneous presence, complementary functionalities, and similar development practices imply a potential link to the same threat actor.

The exact method of initial compromise remains unclear. However, it is suspected that an outdated version of the Digiwin single sign-on (SSO) portal, utilizing end-of-life Java Development Kit (JDK) versions from 2009 to 2011, may have been exploited. This highlights the critical importance of maintaining up-to-date software and promptly addressing known vulnerabilities to prevent such long-term, undetected intrusions.

The resurgence of Daxin, coupled with the emergence of Stupig, underscores the evolving tactics of state-sponsored cyber espionage. Organizations, especially those in critical infrastructure sectors, must remain vigilant, implement robust security measures, and ensure timely updates to their systems to mitigate the risks posed by such sophisticated threats.