China-Linked 'Daxin' Rootkit Returns After Four Years, Found Inside Taiwan Factory
The stealthy kernel malware, last documented in 2022, showed up alongside a new backdoor called Stupig on a manufacturer's network.

Key points
- Daxin, a rootkit tied by researchers to China-linked hackers, has resurfaced inside a Taiwanese manufacturing company after being quiet for more than four years.
- The malware was found alongside a previously undocumented backdoor named Stupig, which lets attackers run commands on a machine before anyone logs in.
- Daxin was first exposed publicly by Symantec in March 2022 and had been used against government and telecom targets.
- The Taiwan intrusion targeted a manufacturer, a sector repeatedly hit by suspected Chinese espionage crews.
- No ransom demand is involved: this is an espionage operation, not a criminal shakedown.
A piece of malware that researchers thought had gone dormant is back.
Investigators have found Daxin, a stealthy rootkit long linked to hackers working on behalf of China, running inside the network of a Taiwanese manufacturing company. A rootkit is a type of malware that buries itself deep inside a computer's operating system so that normal security tools cannot see it.
Daxin sits at the deepest layer, known as the kernel, which is the part of Windows that controls everything else. From there it can hide files, watch traffic, and take orders from its handlers without triggering alarms.
The malware was first exposed publicly in March 2022 by Symantec, the security arm owned by Broadcom. At the time, researchers described it as one of the most advanced pieces of Chinese state-linked malware they had ever seen. It had been used quietly for years against governments, telecoms operators and other high-value targets across Asia and Africa.
Then it seemed to disappear. Until now.
Who is behind it and what did they plant?
The operation is attributed to a China-linked espionage group, the same cluster of activity Symantec tied to Daxin's earlier use. The Hacker News, which first reported the resurfacing, notes the malware was found on the file system as "srt64.sys", disguised to look like a legitimate Windows driver file.
Alongside Daxin, the attackers installed a second tool that had never been publicly documented. Researchers are calling it Stupig.
Stupig is a backdoor, meaning a hidden entry point that lets attackers control an infected machine remotely. Its unusual trick is that it works before a user has logged in. Most backdoors need someone to sign in to the computer first. Stupig sits at the login screen and quietly accepts commands from its operators, giving them SYSTEM-level access, the highest level of privilege on a Windows machine.
In plain terms: the hackers do not need an employee to be at their desk to run code on the machine. They own it from the moment it boots.
Why does a factory in Taiwan matter?
Taiwanese manufacturers make the chips, circuit boards and precision parts that end up in everything from cars to fighter jets. They are a standing target for state-backed hackers looking to steal designs, monitor supply chains or pre-position inside networks for a future crisis.
This is not a ransomware case. Nobody is demanding money. The point of Daxin has always been to sit quietly for months or years and quietly siphon information out.
That is what makes the resurfacing significant. A tool this advanced does not get dusted off for a small job.
What should ordinary people do?
Honestly, nothing directly. This is not the kind of attack that steals your bank details or locks your laptop.
But if you work at a manufacturer, an engineering firm or a supplier to one, it is worth asking your IT team whether they are watching for kernel-level malware and unusual driver files. The companies most at risk are the ones that assume they are too small or too niche to be a target.
The Taiwan case shows that assumption is wrong.



