{
	"id": "1e3aad69-de6f-4b98-8b27-e56aa5127e00",
	"created_at": "2026-04-06T01:30:52.94227Z",
	"updated_at": "2026-04-10T03:20:17.942333Z",
	"deleted_at": null,
	"sha1_hash": "7eae002de49ab8a7f1758c334c7dbb8da335025d",
	"title": "Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 51834,
	"plain_text": "Daxin: Stealthy Backdoor Designed for Attacks Against Hardened\r\nNetworks\r\nBy About the Author\r\nArchived: 2026-04-06 00:32:39 UTC\r\nNew research by the Symantec Threat Hunter team, part of Broadcom Software, has uncovered a highly\r\nsophisticated piece of malware being used by China-linked threat actors, exhibiting technical complexity\r\npreviously unseen by such actors.  The malware appears to be used in a long-running espionage campaign against\r\nselect governments and other critical infrastructure targets.\r\nThere is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various\r\ncommunications and data-gathering operations on the infected computer, has been used as recently as November\r\n2021 by attackers linked to China. Most of the targets appear to be organizations and governments of strategic\r\ninterest to China. In addition, other tools associated with Chinese espionage actors were found on some of the\r\nsame computers where Daxin was deployed.\r\nDaxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for\r\nuse against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data\r\nwithout raising suspicions.\r\nThrough Broadcom’s membership in the Joint Cyber Defense Collaborative (JCDC), Symantec researchers\r\nworked with the Cyber Security and Infrastructure Security Agency (CISA) to engage with multiple foreign\r\ngovernments targeted with Daxin and assisted in detection and remediation.\r\nThis is the first in a series of blogs. This blog provides an overview of Daxin’s capabilities and will be followed\r\nwith additional blogs providing further in-depth analysis.\r\nDaxin technical overview\r\nAs described in more detail below, Daxin comes in the form of a Windows kernel driver, a relatively rare format\r\nfor malware nowadays. It implements advanced communications functionality, which both provides a high degree\r\nof stealth and permits the attackers to communicate with infected computers on highly secured networks, where\r\ndirect internet connectivity is not available. These features are reminiscent of Regin, an advanced espionage tool\r\ndiscovered by Symantec in 2014 that others have linked to Western intelligence services.\r\nDaxin’s capabilities suggest the attackers invested significant effort into developing communication techniques\r\nthat can blend in unseen with normal network traffic on the target’s network. Specifically, the malware avoids\r\nstarting its own network services. Instead, it can abuse any legitimate services already running on the infected\r\ncomputers.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 1 of 6\n\nDaxin is also capable of relaying its communications across a network of infected computers within the attacked\r\norganization. The attackers can select an arbitrary path across infected computers and send a single command that\r\ninstructs these computers to establish requested connectivity. This use case has been optimized by Daxin’s\r\ndesigners.\r\nDaxin also features network tunneling, allowing attackers to communicate with legitimate services on the victim’s\r\nnetwork that can be reached from any infected computer.\r\nDaxin in detail\r\nDaxin is a backdoor that allows the attacker to perform various operations on the infected computer such as\r\nreading and writing arbitrary files. The attacker can also start arbitrary processes and interact with them. While the\r\nset of operations recognized by Daxin is quite narrow, its real value to attackers lies in its stealth and\r\ncommunications capabilities.\r\nDaxin is capable of communicating by hijacking legitimate TCP/IP connections. In order to do so, it monitors all\r\nincoming TCP traffic for certain patterns. Whenever any of these patterns are detected, Daxin disconnects the\r\nlegitimate recipient and takes over the connection. It then performs a custom key exchange with the remote peer,\r\nwhere two sides follow complementary steps. The malware can be both the initiator and the target of a key\r\nexchange. A successful key exchange opens an encrypted communication channel for receiving commands and\r\nsending responses. Daxin’s use of hijacked TCP connections affords a high degree of stealth to its\r\ncommunications and helps to establish connectivity on networks with strict firewall rules. It may also lower the\r\nrisk of discovery by SOC analysts monitoring for network anomalies.\r\nDaxin’s built-in functionality can be augmented by deploying additional components on the infected computer.\r\nDaxin provides a dedicated communication mechanism for such components by implementing a device named\r\n“\\\\.\\Tcp4”. The malicious components can open this device to register themselves for communication. Each of the\r\ncomponents can associate a 32-bit service identifier with the opened \\\\.\\Tcp4 handle. The remote attacker is then\r\nable to communicate with selected components by specifying a matching service identified when sending\r\nmessages of a certain type. The driver also includes a mechanism to send back any responses.\r\nThere are also dedicated messages that encapsulate raw network packets to be transmitted via the local network\r\nadapter. Daxin then tracks network flows, such that any response packets are captured and forwarded to the\r\nremote attacker. This allows the attacker to establish communication with legitimate services that are reachable\r\nfrom the infected machine on the target’s network, where the remote attacker uses network tunnels to interact with\r\ninternal servers of interest.\r\nPerhaps the most interesting functionality is the ability to create a new communications channel across multiple\r\ninfected computers, where the list of nodes is provided by the attacker in a single command. For each node, the\r\nmessage includes all the details required to establish communication, specifically the node IP address, its TCP port\r\nnumber, and the credentials to use during custom key exchange. When Daxin receives this message, it picks the\r\nnext node from the list. Then it uses its own TCP/IP stack to connect to the TCP server listed in the selected entry.\r\nOnce connected, Daxin starts the initiator side protocol. If the peer computer is infected with Daxin, this results in\r\nopening a new encrypted communication channel. An updated copy of the original message is then sent over this\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 2 of 6\n\nnew channel, where the position of the next node to use is incremented. The process then repeats for the remaining\r\nnodes on the list.\r\nWhile it is not uncommon for attackers’ communications to make multiple hops across networks in order to get\r\naround firewalls and generally avoid raising suspicions, this is usually done step-by-step, such that each hop\r\nrequires a separate action. However, in the case of Daxin, this process is a single operation, suggesting the\r\nmalware is designed for attacks on well-guarded networks, where attackers may need to periodically reconnect\r\ninto compromised computers.\r\nTimeline\r\nThe Symantec Threat Hunter team has identified Daxin deployments in government organizations as well as\r\nentities in the telecommunications, transportation, and manufacturing sectors. Several of these victims were\r\nidentified with the assistance of the PwC Threat Intelligence team.\r\nWhile the most recent known attacks involving Daxin occurred in November 2021, the earliest known sample of\r\nthe malware dates from 2013 and included all of the advanced features seen in the most recent variants, with a\r\nlarge part of the codebase having already been fully developed. This suggests that the attackers were already well\r\nestablished by 2013, with Daxin features reflecting their expertise at that time.\r\nWe believe that before commencing development of Daxin, the attackers were already experimenting for some\r\ntime with the techniques that become part of Daxin. An older piece of malware – Backdoor.Zala (aka Exforel) –\r\ncontained a number of common features but did not have many of Daxin’s advanced capabilities. Daxin appears to\r\nbuild on Zala’s networking techniques, reusing a significant amount of distinctive code and even sharing certain\r\nmagic constants. This is in addition to a certain public library used to perform hooking that is also common\r\nbetween some variants of Daxin and Zala. The extensive sharing indicates that Daxin designers at least had access\r\nto Zala’s codebase. We believe that both malware families were used by the same actor, which became active no\r\nlater than 2009.\r\nLinks to known espionage actors\r\nThere are several examples of attacks where tools known to be associated with Chinese espionage actors have\r\nbeen observed along with what we believe to be variants of Daxin.\r\nIn a November 2019 attack against an information technology company, the attackers used a single PsExec\r\nsession to first attempt to deploy Daxin before then resorting to Trojan.Owprox. Owprox is associated with the\r\nChina-linked Slug (aka Owlproxy).\r\nIn May 2020, malicious activity involving both Backdoor.Daxin and Trojan.Owprox occurred on a single\r\ncomputer belonging to another organizations, a technology company.\r\nIn a July 2020 attack against a military target, the attackers made two unsuccessful attempts to deploy a suspicious\r\ndriver. When these attempts failed, the attackers resorted to different malware instead, a variant of Trojan.Emulov.\r\nSymantec did not obtain either of the two suspicious drivers used in this attack. However, very strong similarities\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 3 of 6\n\nbetween this attack and earlier activity in which Daxin was used suggests that it is highly likely the attackers\r\nattempted to deploy Daxin before falling back on the other malware.\r\nDeveloping analysis\r\nIn summary, Daxin includes some of the most complex features we have seen in a highly probable China-linked\r\nmalware campaign. We will publish follow-up blogs over the coming days with more detailed technical analysis\r\nand other insights from our research and collaborations.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nMalware related to Daxin activity:\r\n81c7bb39100d358f8286da5e9aa838606c98dfcc263e9a82ed91cd438cb130d1 Backdoor.Daxin (32-bit core)\r\n06a0ec9a316eb89cb041b1907918e3ad3b03842ec65f004f6fa74d57955573a4 Backdoor.Daxin (64-bit core)\r\n0f82947b2429063734c46c34fb03b4fa31050e49c27af15283d335ea22fe0555 Backdoor.Daxin (64-bit core)\r\n3e7724cb963ad5872af9cfb93d01abf7cd9b07f47773360ad0501592848992f4 Backdoor.Daxin (64-bit core)\r\n447c3c5ac9679be0a85b3df46ec5ee924f4fbd8d53093125fd21de0bff1d2aad Backdoor.Daxin (64-bit core)\r\n49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530 Backdoor.Daxin (64-bit core)\r\n5bc3994612624da168750455b363f2964e1861dba4f1c305df01b970ac02a7ae Backdoor.Daxin (64-bit core)\r\n5c1585b1a1c956c7755429544f3596515dfdf928373620c51b0606a520c6245a Backdoor.Daxin (64-bit core)\r\n6908ebf52eb19c6719a0b508d1e2128f198d10441551cbfb9f4031d382f5229f Backdoor.Daxin (64-bit core)\r\n7867ba973234b99875a9f5138a074798b8d5c65290e365e09981cceb06385c54 Backdoor.Daxin (64-bit core)\r\n7a08d1417ca056da3a656f0b7c9cf6cd863f9b1005996d083a0fc38d292b52e9 Backdoor.Daxin (64-bit core)\r\n8d9a2363b757d3f127b9c6ed8f7b8b018e652369bc070aa3500b3a978feaa6ce Backdoor.Daxin (64-bit core)\r\nb0eb4d999e4e0e7c2e33ff081e847c87b49940eb24a9e0794c6aa9516832c427 Backdoor.Daxin (64-bit core)\r\nb9dad0131c51e2645e761b74a71ebad2bf175645fa9f42a4ab0e6921b83306e3 Backdoor.Daxin (64-bit core)\r\ncf00e7cc04af3f7c95f2b35a6f3432bef990238e1fa6f312faf64a50d495630a Backdoor.Daxin (64-bit core)\r\ne7af7bcb86bd6bab1835f610671c3921441965a839673ac34444cf0ce7b2164e Backdoor.Daxin (64-bit core)\r\nea3d773438c04274545d26cc19a33f9f1dbbff2a518e4302addc1279f9950cef Backdoor.Daxin (64-bit core)\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 4 of 6\n\n08dc602721c17d58a4bc0c74f64a7920086f776965e7866f68d1676eb5e7951f Backdoor.Daxin (dropper)\r\n53d23faf8da5791578c2f5e236e79969289a7bba04eee2db25f9791b33209631 Backdoor.Daxin (dropper)\r\n7a7e8df7173387aec593e4fe2b45520ea3156c5f810d2bb1b2784efd1c922376 Backdoor.Zala (32-bit core)\r\n8dafe5f3d0527b66f6857559e3c81872699003e0f2ffda9202a1b5e29db2002e Backdoor.Zala (32-bit core)\r\n96bf3ee7c6673b69c6aa173bb44e21fa636b1c2c73f4356a7599c121284a51cc Backdoor.Trojan (32-bit core)\r\n9c2f3e9811f7d0c7463eaa1ee6f39c23f902f3797b80891590b43bbe0fdf0e51 Backdoor.Trojan (32-bit core)\r\nc0d88db11d0f529754d290ed5f4c34b4dba8c4f2e5c4148866daabeab0d25f9c Backdoor.Trojan (32-bit core)\r\ne6a7b0bc01a627a7d0ffb07faddb3a4dd96b6f5208ac26107bdaeb3ab1ec8217 Backdoor.Trojan (32-bit core)\r\nFile names attributed to Daxin activity:\r\n\"ipfltdrvs.sys\"\r\n\"ndislan.sys\"\r\n\"ndislan_win2008_x64.sys\"\r\n\"ntbios.sys\"\r\n\"patrol.sys\"\r\n\"performanceaudit.sys\"\r\n\"print64.sys\"\r\n\"printsrv64.sys\"\r\n\"prv64.sys\"\r\n\"sqlwriter.sys\"\r\n\"srt.sys\"\r\n\"srt64.sys\"\r\n\"syswant.sys\"\r\n\"usbmrti.sys\"\r\n\"vncwantd.sys\"\r\n\"wantd.sys\"\r\n\"win2k8.sys\"\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 5 of 6\n\n\"wmipd.sys\"\r\n\"[CSIDL_SYSTEM]\\drivers\\pagefile.sys\"\r\n\"[CSIDL_SYSTEM]\\spool\\drivers\\ntds.sys\"\r\nMalware observed during overlapping activities:\r\n705be833bd1880924c99ec9cf1bd0fcf9714ae0cec7fd184db051d49824cbbf4 suspected Backdoor.Daxin\r\nc791c007c8c97196c657ac8ba25651e7be607565ae0946742a533af697a61878 suspected Backdoor.Daxin\r\n514d389ce87481fe1fc6549a090acf0da013b897e282ff2ef26f783bd5355a01 Trojan.Emulov (core)\r\n1a5c23a7736b60c14dc50bf9e802db3fcd5b6c93682bc40141d6794ae96138d3 Trojan.Emulov (dropper)\r\na0ac5f7d41e9801b531f8ca333c31021c5e064f13699dbd72f3dfd429f19bb26 Trojan.Owprox (core)\r\naa7047a3017190c66568814eb70483bf74c1163fb4ec1c515c1de29df18e26d7 Trojan.Owprox (dropper)\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/daxin-backdoor-espionage"
	],
	"report_names": [
		"daxin-backdoor-espionage"
	],
	"threat_actors": [],
	"ts_created_at": 1775439052,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7eae002de49ab8a7f1758c334c7dbb8da335025d.pdf",
		"text": "https://archive.orkl.eu/7eae002de49ab8a7f1758c334c7dbb8da335025d.txt",
		"img": "https://archive.orkl.eu/7eae002de49ab8a7f1758c334c7dbb8da335025d.jpg"
	}
}