"Stupig uses a technique not documented in any known malware family," the cybersecurity arm of Broadcom said.
Daxin (srt64.sys): a kernel-mode rootkit that hijacks connections
First documented by Broadcom-owned Symantec in March 2022, Daxin — referred to in telemetry as "srt64.sys" — is a kernel-mode rootkit with an unconventional command-and-control (C2) method. Rather than initiating outbound connections to attacker infrastructure, Daxin monitors incoming TCP traffic for specific patterns and then hijacks legitimate connections to carry encrypted C2 communications. That design allows it to blend into normal network activity and to operate on hosts that are physically disconnected from the internet. Broadcom noted the malware can support multi-hop communications through chains of infected hosts, allowing operators to reach systems on isolated network segments.
Stupig (a.dll / kbdus1.dll): a pre‑login SYSTEM backdoor via keyboard‑layout provider
The same Taiwan-based host that reported Daxin also contained a previously unreported backdoor the researchers named Stupig, appearing as "a.dll" or "kbdus1.dll" — an attempt to masquerade as the legitimate "kbdus.dll" Microsoft keyboard-layout DLL. Symantec and the Carbon Black Threat Hunter Team report that Stupig achieves persistence by registering as a keyboard-layout provider, causing win32k.sys to load it into winlogon.exe at system startup; the DLL returns a valid KBDTABLES pointer so the keyboard layout functions normally and the module does not stand out to processes or administrators inspecting loaded modules.
Once inside winlogon.exe, Stupig watches the Windows logon screen for usernames beginning with the string "stupig." When that prefix is entered, any following characters are interpreted as a command and executed with SYSTEM privileges; if no command follows the prefix, it spawns a SYSTEM-level command prompt on the logon screen. As Broadcom described it, the trojanized keyboard-layout DLL "lets an attacker run commands as System directly from the Windows logon screen, before anyone signs in and without raising a logon audit event."
2013 compile timestamps, May 12, 2026 telemetry, and implications for persistence
Both the Daxin and Stupig artifacts carried compilation timestamps from early 2013, despite the compromised machine — a Taiwan-based subsidiary of a multinational high-tech manufacturer — not reporting telemetry until May 12, 2026. Symantec and Carbon Black observed no code-level overlaps between the two tools, yet they noted complementary functions, similarities in development practices, and the shared 2013 timestamps as suggestive that the tools may have come from the same operator. Exactly how and when the host was initially compromised remains unknown; the discovery indicates the cyber espionage operation never completely stopped but instead went quiet, maintaining stealthy persistence in targeted networks.
Suspected initial vector: outdated Digiwin SSO and end‑of‑life JDKs
Researchers suspect the intrusion may have exploited an outdated Digiwin single sign-on (SSO) portal on the victim host. Broadcom's teams reported the portal was using end-of-life Java Development Kit versions 1.5 and 1.6, with installations dating back to 2009–2011. The advisory does not confirm a definitive exploit path, but the presence of legacy JDKs in the suspected SSO instance is highlighted as a likely avenue for initial compromise.
Hunt.io: AI models Anthropic Claude Code and DeepSeek used to automate intrusions
Separately, Hunt.io reported observing a suspected China-linked threat actor leveraging Anthropic Claude Code and DeepSeek models to automate intrusions against government and financial systems in Afghanistan, Thailand, Taiwan, and the U.S. Hunt.io based the discovery on an open directory at 112.213.124[.]132 that shared HTTP header fingerprints with known TencShell C2 infrastructure. According to Hunt.io, the models "handled reasoning for bypass techniques, reworked exploits after failed attempts, and built the phishing pages used to harvest credentials." The firm described Claude Code as the execution engine for agentic tool use and task parallelization, while DeepSeek-v4-pro performed attack logic, script generation, and decision-making: "In short, offensive logic is routed through a Chinese domestic LLM while leveraging Anthropic's agentic execution infrastructure."
What this means for technologists, policymakers, and affected enterprises
- Technologists and security teams: The Daxin approach — hijacking existing connections and supporting multi-hop communications — underlines the limits of conventional network monitoring and the need to consider kernel-level persistence and unusual pre-login vectors such as keyboard-layout providers.
- Policymakers and regulators: The co-deployment of long-dormant artifacts with 2013 compile timestamps and evidence of AI-assisted intrusion workflows raises questions about strategic detection investments and supply-chain or legacy-software exposure in critical sectors.
- Affected enterprises and procurement leaders: The suspected use of end-of-life Java Development Kit installations in a Digiwin SSO portal highlights the operational risk of aging components in identity and access systems — and the value of explicit inventory, patching, and decommissioning policies.
The discovery in Taiwan — Daxin still operating and Stupig enabling SYSTEM-level actions at the logon screen — shows a blend of old tooling and novel techniques. Whether the two tools were developed by the same operators cannot be confirmed; what can be confirmed is that artifacts compiled in 2013 were active on a host not seen in telemetry until 2026, and that defenders will need to account for both deeply rooted persistence and new pre‑login access methods. Original story




