Return to Threats

Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor

thehackernews.com 2026-07-16 AI supply chain High

What Happened

An advanced malware previously attributed to a China-linked threat actor has resurfaced after more than four years within a Taiwan manufacturing firm, along with a previously unreported backdoor dubbed Stupig. Daxin ("srt64.sys"), as the kernel-mode rootkit is referred to, was first documented by Broadcom-owned Symantec in March 2022, with evidence indicating its use in targeted attacks aimed

Why It Matters

The article reports that the China-linked kernel-mode rootkit Daxin has resurfaced inside a Taiwan manufacturing firm after more than four years, alongside a newly documented backdoor called Stupig.[1][3] Stupig abuses a trojanized keyboard-layout DLL loaded by winlogon.exe to run SYSTEM-level commands directly from the Windows logon screen, before any user authentication and without generating logon audit events.[1][2] From a RealGround perspective, such long-lived, stealthy kernel-level and pre-login persistence mechanisms pose a critical AI supply chain risk: the same tradecraft can be used to covertly implant and maintain access on AI infrastructure, model hosts, and data pipelines, bypassing standard monitoring and potentially enabling undetected data exfiltration or model tampering. Organizations operating AI systems should harden and continuously monitor low-level components (drivers, DLLs, logon modules), maintain a rigorous SBOM for AI infrastructure, and use red teaming to test for similar pre-auth and kernel-layer backdoor techniques on AI-serving and training environments.

Healthcare Fintech SaaS SMB AI startups

RealGround Analysis

This signal maps to AI supply chain. Organizations using AI agents, LLM APIs, SaaS integrations, or sensitive data workflows should review whether this class of issue could create unauthorized tool execution, data leakage, weak approval gates, or unmanaged supply-chain exposure.

Recommended Actions

  • Restrict AI agent tool permissions and production write paths.
  • Review sensitive data access across prompts, logs, embeddings, memory, and SaaS integrations.
  • Add human approval workflows for high-impact or state-changing actions.
  • Run prompt injection and indirect prompt injection tests against affected workflows.
  • Document the owner, control gap, and remediation deadline for this risk class.

Source

https://thehackernews.com/2026/07/daxin-resurfaces-in-taiwan-alongside.html

Talk to AI CISO