A stealthy Windows backdoor has resurfaced alongside Daxin, a sophisticated espionage tool previously tied to China-linked activity.
The newly documented implant lets an intruder type a special username at the Windows sign-in screen and, in some cases, immediately open a command shell with the system’s highest privileges.
The activity was discovered on a compromised computer at a Taiwan-based subsidiary of a multinational high-tech manufacturer.
Investigators believe the initial foothold may have come through an outdated Digiwin single sign-on portal that still used Java Development Kit versions released between 2009 and 2011. Its target has strategic value to China.
Researchers from Symantec identified Daxin and the previously unknown Backdoor.Stupig on the same host during an investigation in May 2026.
Symantec said in a report shared with Cyber Security News (CSN) that the combination suggests a long-running operation, though a direct code-level link between the two tools has not been confirmed.
The case matters because the backdoor operates before a normal user session begins, where many organisations have limited visibility.
Its design can give an attacker command execution as SYSTEM, Windows’ most powerful local account, while also creating an opportunity to intercept credentials entered during the sign-in process.
Since it is loaded by a trusted Windows component, routine endpoint checks may not immediately distinguish it from legitimate keyboard support.
Hackers Can Type a Secret Username at the Windows Login Screen
Backdoor.Stupig disguises itself as part of Windows keyboard support rather than behaving like a conventional remote-access program.
It registers as a keyboard-layout provider, causing Windows to load the malicious DLL into winlogon.exe during startup, while returning normal keyboard data so the device appears to work as expected.
Once active, the backdoor watches the logon screen for usernames beginning with stupig.
If the attacker enters only that prefix, it launches a SYSTEM command prompt on the secure desktop; if text follows the prefix, that text is executed as a command with the same level of access.
The program then passes the request to the legitimate Windows logon process, which produces an ordinary failed-sign-in response.
This means defenders may see an unusual failed username but no obvious logon audit anomaly showing that a privileged shell was created, making a simple screen-level test unusually valuable to an intruder with console access.
Stupig also places hooks in Windows functions used during authentication and credential handling, allowing it to capture information inside winlogon.exe.
Investigators found a reference to a companion file named msyun.dll, but that payload was not among the artifacts recovered from the affected environment.
The researchers said Stupig does not match a known malware family in their similarity analysis, underscoring the value of checking unfamiliar authentication-time modules.
Daxin Signals Enduring Espionage
Daxin is a kernel-level Windows backdoor first exposed in 2022, although samples date to 2013.
Rather than making a clear outbound connection to a control server, it monitors inbound TCP traffic for specific patterns and takes over legitimate connections to carry encrypted instructions.
That approach can blend malicious traffic into normal network activity and makes conventional monitoring less effective.
Daxin can also relay commands through multiple compromised devices, potentially giving operators a route into isolated network areas that have no direct internet connection.
Both samples carried early-2013 compilation timestamps, while the affected system did not begin supplying telemetry until May 12, 2026.
That gap, together with the group’s history of quiet persistence, leaves open the possibility that the intrusion remained hidden for years and perhaps longer than a decade.
The malware files were also detected under different names, a change that appeared to follow the first detection event.
Defenders should urgently replace unsupported Java installations and review exposed single sign-on systems, especially older Digiwin deployments.
They should also examine keyboard-layout registrations and DLLs loaded by winlogon.exe, investigate failed logons using unusual stupig-prefixed names, and hunt for the indicators below across Windows systems.
Reviewing systems that lack historical telemetry is equally important, since dormant implants may only surface when monitoring improves. This includes validating all remaining legacy assets.
Indicators of compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 |
Backdoor.Daxin, srt64.sys |
| File name | srt64.sys |
Backdoor.Daxin kernel-mode driver |
| SHA-256 | 5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f |
Backdoor.Stupig |
| File name | a.dll |
Backdoor.Stupig deployment name |
| File name | kbdus1.dll |
Backdoor.Stupig renamed deployment name |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.