Daxin is a highly sophisticated Windows backdoor associated with long-running China-linked espionage activity. Public reporting has tied its use to targeted intrusions against governments, critical infrastructure, and strategically significant organizations, with evidence indicating operational use dating back to 2013. It resurfaced in 2026 on a compromised host at a Taiwan-based subsidiary of a multinational high-technology manufacturer, where it was found alongside the separate backdoor Stupig.
Daxin is notable for an unusually stealthy command-and-control architecture implemented at the kernel level. Rather than establishing obvious outbound sessions to attacker infrastructure, it monitors inbound TCP traffic for specific patterns and hijacks legitimate existing network connections to carry encrypted command traffic. This design helps its communications blend into normal activity and makes detection through conventional network monitoring difficult. Daxin also supports multi-hop relaying through chains of compromised systems, enabling operators to reach segmented or otherwise isolated parts of a victim environment, including systems without direct internet connectivity.
The malware has been described as a kernel-mode rootkit or kernel-level backdoor, reflecting both its privileged execution context and its covert operational design. A malicious driver associated with the campaign has also been documented. The initial intrusion vector in the 2026 case was not confirmed, although investigators suspected exploitation involving an outdated enterprise single sign-on deployment. Daxin’s tradecraft, longevity, and stealth place it among the more advanced espionage malware families publicly linked to China-aligned operations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Daxin has an unusual approach to command-and-control. Rather than directly establishing outbound connections with attacker-controlled infrastructure, the Windows kernel-mode driver backdoor monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for encrypted C2 communications so as to blend in with regular activity.
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A Windows kernel-mode rootkit/backdoor used in targeted espionage intrusions. It monitors incoming TCP traffic for specific patterns and hijacks existing legitimate connections for encrypted command-and-control, enabling stealthy communications and multi-hop access to isolated network segments.
A kernel-level Windows backdoor first exposed in 2022, with samples dating to 2013. It monitors inbound TCP traffic for specific patterns, hijacks legitimate connections to carry encrypted instructions, and can relay commands through multiple compromised devices to reach isolated network segments.
Advanced malware associated with a China-linked actor; reported as found running inside a Taiwan manufacturing firm and deployed alongside a novel new backdoor.
Daxin is described as a malware campaign involving a malicious driver named ntbios_2.sys, indicating use of a kernel-mode component to support backdoor/espionage activity.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.