A sophisticated kernel-mode rootkit first identified in 2022 has re-emerged within a Taiwanese manufacturing firm, now paired with a previously undocumented backdoor that operates before a user even logs in. This combination marks a significant advancement in the toolkits used for long-term, stealthy cyber-espionage campaigns.

Researchers have uncovered the continued use of the Daxin rootkit, also known as srt64.sys, originally detailed by Symantec in March 2022. Its reappearance after more than four years demonstrates that advanced threat actors maintain and redeploy core capabilities over extended periods. Daxin operates at the kernel level to hide malicious processes and communications, providing deep, hidden control over a compromised system.

The more alarming discovery is the new tool accompanying it: a backdoor dubbed Stupig. Its defining characteristic is the ability to establish a persistent SYSTEM-level presence before the Windows login process completes. This technique attacks a critical blind spot in many security architectures, as conventional endpoint detection and response (EDR) tools and anti-malware suites typically activate only after a user authenticates, leaving the pre-login environment under-monitored.

The pairing of these two tools creates a formidable attack chain. While Daxin provides hidden control, Stupig ensures the attacker can regain access even if the user session is terminated or monitored security controls are restarted. This undermines common assumptions about system integrity following a reboot or re-login. The campaign's focus on a Taiwanese manufacturer aligns with historically observed strategic espionage objectives, underscoring the persistent risk to industrial and technology supply chains.

Defensive Strategies Must Shift "Left"

For IT security practitioners, this development necessitates a fundamental shift in monitoring and detection strategies. The combined threat requires enhanced visibility before the first user login is even possible.

Defenders must deploy and configure monitoring solutions that provide deep insight into kernel-mode activity, scrutinizing the loading of drivers. The primary indicator for Daxin is the presence of the srt64.sys driver, but behavioural monitoring for anomalous kernel interactions is also critical. Simultaneously, organisations need to secure the pre-login phase. This may involve leveraging hardware-based security features like TPM and Secure Boot more effectively and deploying solutions specifically designed to audit the early boot process.

Proactive threat hunting is now essential, particularly for organisations in critical infrastructure and manufacturing sectors. Hunts should focus on known indicators of compromise for Daxin and investigate anomalous system behaviour that could indicate a pre-login persistence mechanism, such as unexpected scheduled tasks or services triggered during startup.

The reappearance of Daxin and the debut of Stupig signal a clear intent by threat actors to penetrate and persist within target networks at the most fundamental level. Defending against this requires moving security monitoring further left in the attack lifecycle, ensuring visibility is established before the first user login occurs.


一個於2022年首次被識別的複雜核心模式 rootkit,近期在台灣一家製造公司內重新出現,並搭配一個先前未有記錄、可在用戶登入前運作的 backdoor。這個組合標誌著用於長期、隱蔽網絡間諜活動的工具包出現了重大進化。

研究人員發現,由 Symantec 於2022年3月首次詳述的 Daxin rootkit(亦稱為 srt64.sys)仍持續被使用。它在四年多後的重新出現,表明高階威脅行為者會在長時間內維持並重新部署其核心能力。Daxin 在核心層級運作,用以隱藏惡意進程及通訊,為受感染系統提供深層、隱蔽的控制權。

更令人擔憂的發現是伴隨出現的新工具:一個被稱為 Stupig 的 backdoor。其特點是能在 Windows 登入程序完成前,建立持久的 SYSTEM 級別權限。此技術攻擊了許多安全架構中的一個關鍵盲點,因為傳統的端點偵測與回應(EDR)工具及反惡意軟件套件,通常只在用戶認證後才啟動,導致登入前環境缺乏監控。

這兩種工具的結合,構成了一個強大的攻擊鏈。Daxin 提供隱蔽控制,而 Stupig 確保攻擊者即使在用戶會話終止或受監控的安全控制重啟後,仍能重新取得存取權限。這削弱了關於系統在重啟或重新登入後完整性的常見假設。此行動針對台灣製造商,符合歷史上觀察到的戰略間諜目標,突顯了對工業及科技供應鏈的持續風險。

防禦策略必須「左移」

對於IT安全從業人員而言,此發展要求監控與偵測策略進行根本性的轉變。結合的威脅需要在首次用戶登入可能發生之前,就增強可見性。

防禦者必須部署和配置能提供對核心模式活動深度洞察的監控解決方案,仔細檢查驅動程式的載入。Daxin 的主要指標是存在 srt64.sys 驅動程式,但對異常核心互動的行為監控也至關重要。同時,組織需要確保登入前階段的安全。這可能涉及更有效地利用基於硬體的安全功能,如 TPM 和 Secure Boot,並部署專門用於審計早期啟動過程的解決方案。

主動式的威脅搜捕現在至關重要,尤其對於關鍵基礎設施和製造業領域的組織。搜捕工作應聚焦於 Daxin 已知的入侵指標,並調查可能表示存在登入前持久化機制的異常系統行為,例如在啟動期間觸發的意外排程任務或服務。

Daxin 的重現與 Stupig 的首次亮相,清楚表明了威脅行為者意圖在最基礎層級滲透並持續存在於目標網絡的決心。防禦此威脅需要將安全監控進一步推向攻擊生命周期的左端,確保在首次用戶登入發生前就建立可見性。

新聞來源 / Original News Source