Daxin, a sophisticated kernel-mode rootkit linked to Chinese threat actors, has reappeared in Taiwan after a four-year absence. The malware surfaced within a Taiwan-based manufacturing firm alongside a previously undocumented backdoor named Stupig, both deployed in what researchers assess as a targeted operation.

Symantec first documented Daxin (tracked as srt64.sys) in March 2022. The rootkit operates at the kernel level, granting attackers deep system access and persistence capabilities that resist standard detection methods. Its reemergence in a manufacturing environment signals renewed targeting of critical infrastructure and supply chain assets in the region.

Stupig represents a separate pre-login backdoor, deployed alongside Daxin in this intrusion. Pre-login backdoors execute before user authentication completes, enabling attackers to maintain access even if credentials change or systems are reimaged. This combination demonstrates a multi-layered persistence strategy typical of advanced persistent threat (APT) operations.

The victim organization's manufacturing sector status raises supply chain contamination concerns. Taiwanese manufacturers supply components globally, particularly to semiconductor and electronics industries. Compromise of such firms creates risk vectors extending beyond the immediate victim.

The four-year gap between documented Daxin activity and this discovery suggests either dormancy or undetected operations. Either scenario indicates the malware's effectiveness at evading enterprise detection. The return, paired with a new tool, suggests the threat actor maintains active interest in Taiwan-based targets and continues developing capabilities.

Organizations in Taiwan's manufacturing sector should treat this resurgence as a direct threat indicator. Detection requires kernel-level monitoring and behavioral analysis. Standard endpoint protection often fails against rootkits operating below security software layers. Affected organizations benefit from firmware integrity checks, kernel driver verification, and advanced threat hunting across their infrastructure.

The coupling of Daxin with Stup