Critical Windows Bug Lets Attackers Access SYSTEM Shell Without Credentials
Key Takeaways A previously undocumented Windows backdoor, dubbed Backdoor.Stupig, has been found operating alongside the sophisticated Daxin malware. Backdoor.Stupig allows attackers to gain...
Key Takeaways
- A previously undocumented Windows backdoor, dubbed Backdoor.Stupig, has been found operating alongside the sophisticated Daxin malware.
- Backdoor.Stupig allows attackers to gain SYSTEM-level command shell access by entering a specific username prefix at the Windows login screen.
- The backdoor operates at a low level, masquerading as a keyboard layout provider, which makes it difficult to detect with standard security tools and allows credential harvesting.
- The compromise was discovered at a Taiwanese high-tech manufacturer, with initial access potentially gained through an outdated Digiwin single sign-on portal.
- No patch is available for Backdoor.Stupig as it is a malware implant, not a vulnerability. Defenders must focus on detection and removal.
New Windows Backdoor Uncovered Alongside Notorious Daxin Malware
A covert Windows backdoor, now identified as Backdoor.Stupig, has been observed in conjunction with Daxin, a highly advanced espionage tool previously linked to state-sponsored activities originating from China. This discovery highlights a persistent and sophisticated threat targeting critical infrastructure and high-value organizations.
Table Of Content
The newly identified implant grants an unauthorized individual the ability to type a specific, predetermined username at the Windows login interface. In certain scenarios, this action immediately opens a command shell with SYSTEM privileges, representing the highest level of access on a Windows operating system.
Initial Infiltration and Target Profile
The malicious activity was first detected on a compromised system belonging to a Taiwanese subsidiary of a prominent multinational high-tech manufacturing firm. Investigators suspect the initial breach may have leveraged an outdated Digiwin single sign-on portal, which was running Java Development Kit versions from 2009 to 2011. The strategic importance of the targeted organization aligns with known objectives of China-linked threat actors.
Researchers from Symantec uncovered both Daxin and the previously unknown Backdoor.Stupig on the same host during an investigation in May 2026. Symantec said in a report shared with Cyber Security News (CSN) that the co-occurrence of these two sophisticated tools suggests a long-term, coordinated campaign. However, a direct code-level connection between Daxin and Backdoor.Stupig has not yet been established.
This case is particularly concerning because the backdoor functions at a stage before a regular user session initiates, a period where many organizations typically have limited visibility into system operations. Its design enables an attacker to execute commands with SYSTEM privileges, the most powerful local account on Windows. Furthermore, it creates an opportunity to intercept user credentials entered during the login process.
Given that Backdoor.Stupig is loaded by a legitimate Windows component, standard endpoint security checks might struggle to differentiate it from authentic keyboard support, allowing it to evade detection.
Hackers Can Type a Secret Username at the Windows Login Screen
Backdoor.Stupig cleverly masks its true nature by posing as a legitimate part of Windows keyboard support, rather than exhibiting the typical behavior of a remote-access program. It achieves this by registering itself as a keyboard-layout provider. Consequently, Windows loads the malicious DLL into winlogon.exe during the system startup process, while simultaneously delivering normal keyboard data to maintain the illusion of standard device functionality.
Once activated, the backdoor actively monitors the logon screen for any usernames beginning with the specific prefix stupig. If an attacker inputs only this prefix, the malware launches a SYSTEM-privileged command prompt on the secure desktop. If additional text follows the prefix, that text is executed as a command with the same elevated access level.
After executing its malicious function, Backdoor.Stupig forwards the login request to the legitimate Windows logon process, which then generates a standard failed sign-in response. This deceptive behavior means that security defenders might only observe an unusual failed username entry, without any clear audit trail indicating that a privileged shell was created. This subtlety makes a simple screen-level test exceptionally valuable for an intruder who has console access to the system.
Beyond its primary function, Stupig also implants hooks into various Windows functions responsible for authentication and credential handling, enabling it to capture sensitive information directly within winlogon.exe. Investigators discovered a reference to a related file named msyun.dll, but this companion payload was not recovered from the compromised environment. Researchers noted that Stupig does not match any known malware families in their similarity analysis, underscoring the critical need for organizations to scrutinize unfamiliar authentication-time modules.
Daxin Signals Enduring Espionage
Daxin is a kernel-level Windows backdoor first publicly disclosed in 2022, though its samples date back as far as 2013. Unlike conventional malware that establishes clear outbound connections to a command-and-control server, Daxin operates by monitoring inbound TCP traffic for specific patterns. It then hijacks legitimate connections to transmit encrypted instructions, making it exceptionally stealthy.
This sophisticated communication method allows malicious traffic to blend seamlessly with normal network activity, significantly reducing the effectiveness of traditional network monitoring tools. Furthermore, Daxin possesses the capability to relay commands through multiple compromised devices, potentially providing its operators with a pathway into isolated network segments that lack direct internet connectivity.
Both malware samples discovered carried compilation timestamps from early 2013, while telemetry from the affected system only began on May 12, 2026. This substantial time gap, combined with the threat group’s historical pattern of maintaining quiet persistence, raises the alarming possibility that the intrusion remained undetected for years, potentially over a decade. Additionally, the malware files were found under different names, a change that appeared to occur after the initial detection event.
What You Should Do
- Update and Patch Immediately: Urgently replace any unsupported Java installations and review all exposed single sign-on (SSO) systems, especially older Digiwin deployments. Ensure all software, particularly critical components like Java, is kept up-to-date with the latest security patches.
- Enhanced Monitoring: Scrutinize keyboard-layout registrations and all DLLs loaded by
winlogon.exe. Implement robust logging and monitoring for failed logon attempts, paying close attention to unusual usernames, particularly those prefixed with “stupig”. - Threat Hunting: Actively hunt for the provided Indicators of Compromise (IoCs) across all Windows systems within your environment.
- Review Legacy Systems: Conduct thorough reviews of systems lacking comprehensive historical telemetry, as dormant implants may only become apparent with improved monitoring. This includes validating the security posture of all remaining legacy assets.
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 |
Backdoor.Daxin, srt64.sys |
| File name | srt64.sys |
Backdoor.Daxin kernel-mode driver |
| SHA-256 | 5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f |
Backdoor.Stupig |
| File name | a.dll |
Backdoor.Stupig deployment name |
| File name | kbdus1.dll |
Backdoor.Stupig renamed deployment name |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.