{
	"id": "e2636188-ce8c-4c1a-aea1-1b4e02950739",
	"created_at": "2026-04-06T00:15:14.31664Z",
	"updated_at": "2026-04-10T03:21:52.757699Z",
	"deleted_at": null,
	"sha1_hash": "9501928e4c2390e6896862b36d6459677b3191eb",
	"title": "Chinese cyberspies target govts with their \u0026lsquo;most advanced\u0026rsquo; backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3171321,
	"plain_text": "Chinese cyberspies target govts with their \u0026lsquo;most\r\nadvanced\u0026rsquo; backdoor\r\nBy Bill Toulas\r\nPublished: 2022-02-28 · Archived: 2026-04-05 14:12:51 UTC\r\nSecurity researchers have discovered Daxin, a China-linked stealthy backdoor specifically designed for deployment in\r\nhardened corporate networks that feature advanced threat detection capabilities.\r\nAccording to a technical report published by Symantec's Threat Hunter team today, Daxin is one of the most advanced\r\nbackdoors ever seen deployed by Chinese actors.\r\nOne point of differentiation in Daxin is its form, which is a Windows kernel driver, an atypical choice in the malware\r\nlandscape. Its stealthiness comes from its advanced communication features, which mix its data exchange with regular\r\ninternet traffic.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Daxin is, without doubt, the most advanced piece of malware Symantec researchers have seen used by a China-linked\r\nactor,\" Symantec said in a new report.\r\n\"Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened\r\ntargets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions.\"\r\nHiding in legitimate network traffic\r\nBackdoors provide threat actors with remote access to a compromised computer system, allowing them to steal data, execute\r\ncommands, or download and install further malware.\r\nBecause these tools are typically used to steal information from protected networks or further compromise a device, they\r\nneed to involve some form of data transfer encryption or obfuscation to evade raising alarms on network traffic monitoring\r\ntools.\r\nDaxin does this by monitoring network traffic on a device for specific patterns. Once these patterns are detected, it will\r\nhijack the legitimate TCP connection and use it to communicate with the command and control server.\r\nBy hijacking TCP communications, the Daxin malware can hide malicious communication in what is perceived as legitimate\r\ntraffic and thus remain undetected.\r\n\"Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish\r\nconnectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for\r\nnetwork anomalies,\" explains the report by Symantec.\r\nThis essentially opens an encrypted communication channel for transmitting or stealing data, all done through a seemingly\r\ninnocuous TCP tunnel.\r\n“Daxin’s built-in functionality can be augmented by deploying additional components on the infected computer. Daxin\r\nprovides a dedicated communication mechanism for such components by implementing a device named \\\\.\\Tcp4,” further\r\nexplained Symantec.\r\n“The malicious components can open this device to register themselves for communication. Each of the components can\r\nassociate a 32-bit service identifier with the opened \\\\.\\Tcp4 handle. The remote attacker is then able to communicate with\r\nselected components by specifying a matching service identified when sending messages of a certain type.”\r\nDaxin also stands out due to its capability to establish intricate communication pathways across multiple infected computers\r\nat once, using a single command to a set of nodes.\r\nDaxin establishing communication channels on compromised networks (Symantec)\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nPage 3 of 5\n\nThis allows the threat actors to quickly re-establish connections and encrypted communication channels in well-guarded\r\nnetworks.\r\nAt the same time, while the nodes are active and serve as relay points, the chances of the malicious traffic being marked as\r\nsuspicious are kept at a minimum.\r\nChinese cyber-espionage\r\nSymantec's threat analysts have found evidence linking Daxin to the Chinese state-backed hacking group Slug\r\n(aka Owlproxy).\r\nReportedly, the particular backdoor has been actively used in attacks since at least November 2019, while researchers\r\nspotted signs of its deployment again in May 2020 and July 2020.\r\nThe most recent attacks involving Daxin were observed in November 2021, targeting telecommunication, transportation, and\r\nmanufacturing companies.\r\nIt's worth noting that Symantec claims the malware was first sampled back in 2013, already featuring the advanced\r\ndetection-avoidance techniques that we see in today's version.\r\nHowever, no attacks that involved Daxin were observed until later, even though it's likely that the stealthy hackers simply\r\nremained undetected until 2019.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nhttps://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/chinese-cyberspies-target-govts-with-their-most-advanced-backdoor/"
	],
	"report_names": [
		"chinese-cyberspies-target-govts-with-their-most-advanced-backdoor"
	],
	"threat_actors": [],
	"ts_created_at": 1775434514,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9501928e4c2390e6896862b36d6459677b3191eb.pdf",
		"text": "https://archive.orkl.eu/9501928e4c2390e6896862b36d6459677b3191eb.txt",
		"img": "https://archive.orkl.eu/9501928e4c2390e6896862b36d6459677b3191eb.jpg"
	}
}