Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
GPT-Red Tool Finds Prompt Injection Vulnerabilities in GPT 5.6 Sol
July 16, 2026
Kratos PhaaS Attacks Microsoft 365 Users to Steal Credentials
July 16, 2026
Critical Zoom Windows Flient Flaw Lets Attackers Take Over Accounts via Network
July 16, 2026
Home/CyberSecurity News/Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials
CyberSecurity News

Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials

Key Takeaways A previously undocumented Windows backdoor, dubbed Backdoor.Stupig, has been found operating alongside the sophisticated Daxin malware. Backdoor.Stupig allows attackers to gain...

Marcus Rodriguez
Marcus Rodriguez
July 16, 2026 5 Min Read
3 0

Key Takeaways

  • A previously undocumented Windows backdoor, dubbed Backdoor.Stupig, has been found operating alongside the sophisticated Daxin malware.
  • Backdoor.Stupig allows attackers to gain SYSTEM-level command shell access by entering a specific username prefix at the Windows login screen.
  • The backdoor operates at a low level, masquerading as a keyboard layout provider, which makes it difficult to detect with standard security tools and allows credential harvesting.
  • The compromise was discovered at a Taiwanese high-tech manufacturer, with initial access potentially gained through an outdated Digiwin single sign-on portal.
  • No patch is available for Backdoor.Stupig as it is a malware implant, not a vulnerability. Defenders must focus on detection and removal.

New Windows Backdoor Uncovered Alongside Notorious Daxin Malware

A covert Windows backdoor, now identified as Backdoor.Stupig, has been observed in conjunction with Daxin, a highly advanced espionage tool previously linked to state-sponsored activities originating from China. This discovery highlights a persistent and sophisticated threat targeting critical infrastructure and high-value organizations.

Table Of Content

  • Key Takeaways
  • New Windows Backdoor Uncovered Alongside Notorious Daxin Malware
  • Initial Infiltration and Target Profile
  • Hackers Can Type a Secret Username at the Windows Login Screen
  • Daxin Signals Enduring Espionage
  • What You Should Do

The newly identified implant grants an unauthorized individual the ability to type a specific, predetermined username at the Windows login interface. In certain scenarios, this action immediately opens a command shell with SYSTEM privileges, representing the highest level of access on a Windows operating system.

Initial Infiltration and Target Profile

The malicious activity was first detected on a compromised system belonging to a Taiwanese subsidiary of a prominent multinational high-tech manufacturing firm. Investigators suspect the initial breach may have leveraged an outdated Digiwin single sign-on portal, which was running Java Development Kit versions from 2009 to 2011. The strategic importance of the targeted organization aligns with known objectives of China-linked threat actors.

Researchers from Symantec uncovered both Daxin and the previously unknown Backdoor.Stupig on the same host during an investigation in May 2026. Symantec said in a report shared with Cyber Security News (CSN) that the co-occurrence of these two sophisticated tools suggests a long-term, coordinated campaign. However, a direct code-level connection between Daxin and Backdoor.Stupig has not yet been established.

This case is particularly concerning because the backdoor functions at a stage before a regular user session initiates, a period where many organizations typically have limited visibility into system operations. Its design enables an attacker to execute commands with SYSTEM privileges, the most powerful local account on Windows. Furthermore, it creates an opportunity to intercept user credentials entered during the login process.

Given that Backdoor.Stupig is loaded by a legitimate Windows component, standard endpoint security checks might struggle to differentiate it from authentic keyboard support, allowing it to evade detection.

Hackers Can Type a Secret Username at the Windows Login Screen

Backdoor.Stupig cleverly masks its true nature by posing as a legitimate part of Windows keyboard support, rather than exhibiting the typical behavior of a remote-access program. It achieves this by registering itself as a keyboard-layout provider. Consequently, Windows loads the malicious DLL into winlogon.exe during the system startup process, while simultaneously delivering normal keyboard data to maintain the illusion of standard device functionality.

Once activated, the backdoor actively monitors the logon screen for any usernames beginning with the specific prefix stupig. If an attacker inputs only this prefix, the malware launches a SYSTEM-privileged command prompt on the secure desktop. If additional text follows the prefix, that text is executed as a command with the same elevated access level.

After executing its malicious function, Backdoor.Stupig forwards the login request to the legitimate Windows logon process, which then generates a standard failed sign-in response. This deceptive behavior means that security defenders might only observe an unusual failed username entry, without any clear audit trail indicating that a privileged shell was created. This subtlety makes a simple screen-level test exceptionally valuable for an intruder who has console access to the system.

Beyond its primary function, Stupig also implants hooks into various Windows functions responsible for authentication and credential handling, enabling it to capture sensitive information directly within winlogon.exe. Investigators discovered a reference to a related file named msyun.dll, but this companion payload was not recovered from the compromised environment. Researchers noted that Stupig does not match any known malware families in their similarity analysis, underscoring the critical need for organizations to scrutinize unfamiliar authentication-time modules.

Daxin Signals Enduring Espionage

Daxin is a kernel-level Windows backdoor first publicly disclosed in 2022, though its samples date back as far as 2013. Unlike conventional malware that establishes clear outbound connections to a command-and-control server, Daxin operates by monitoring inbound TCP traffic for specific patterns. It then hijacks legitimate connections to transmit encrypted instructions, making it exceptionally stealthy.

This sophisticated communication method allows malicious traffic to blend seamlessly with normal network activity, significantly reducing the effectiveness of traditional network monitoring tools. Furthermore, Daxin possesses the capability to relay commands through multiple compromised devices, potentially providing its operators with a pathway into isolated network segments that lack direct internet connectivity.

Both malware samples discovered carried compilation timestamps from early 2013, while telemetry from the affected system only began on May 12, 2026. This substantial time gap, combined with the threat group’s historical pattern of maintaining quiet persistence, raises the alarming possibility that the intrusion remained undetected for years, potentially over a decade. Additionally, the malware files were found under different names, a change that appeared to occur after the initial detection event.

What You Should Do

  • Update and Patch Immediately: Urgently replace any unsupported Java installations and review all exposed single sign-on (SSO) systems, especially older Digiwin deployments. Ensure all software, particularly critical components like Java, is kept up-to-date with the latest security patches.
  • Enhanced Monitoring: Scrutinize keyboard-layout registrations and all DLLs loaded by winlogon.exe. Implement robust logging and monitoring for failed logon attempts, paying close attention to unusual usernames, particularly those prefixed with “stupig”.
  • Threat Hunting: Actively hunt for the provided Indicators of Compromise (IoCs) across all Windows systems within your environment.
  • Review Legacy Systems: Conduct thorough reviews of systems lacking comprehensive historical telemetry, as dormant implants may only become apparent with improved monitoring. This includes validating the security posture of all remaining legacy assets.
Type Indicator Description
SHA-256 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 Backdoor.Daxin, srt64.sys
File name srt64.sys Backdoor.Daxin kernel-mode driver
SHA-256 5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f Backdoor.Stupig
File name a.dll Backdoor.Stupig deployment name
File name kbdus1.dll Backdoor.Stupig renamed deployment name

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackHackerMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

CISA Warns of Oracle E-Business Suite Vulnerability Actively Exploited in Attacks

Next Post

TuxBot v3 IoT Botnet Hijacks Devices, Launches DDoS Attacks with LLM Code

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Warns of Oracle E-Business Suite Vulnerability Actively Exploited in Attacks
July 16, 2026
Multiple Critical Splunk Enterprise Vulnerabilities Allow Path Traversal, Info Disclosure
July 16, 2026
F5 Patches Critical NGINX Vulnerabilities, Preventing Code Execution
July 16, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Emy Elsamnoudy
Emy Elsamnoudy
Jennifer sherman
Jennifer sherman
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us