Daxin and Stupig active on a Taiwan manufacturing host in 2026
Malware Activity
Summary
Hide ▲
Show ▼
The Daxin rootkit resurfaced on a compromised host in Taiwan in 2026, showing that the malware still maintains stealthy access inside a manufacturing network. The same machine also carried the Stupig backdoor, which can run commands as SYSTEM before sign-in. The pairing increases the risk of long-lived covert control and credential theft on the affected endpoint.
Related Happenings
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor Meta
H score24
First: 11.06.2026 19:50
Last: 11.06.2026 19:50
Sources 1
About this happening:
Phantom Mantis moved The Gentlemen from dependence on other ransomware ecosystems into an independent partnership program, expanding its operational autonomy and affil...
Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program
Threat Actor MetaAbout this happening: Phantom Mantis moved The Gentlemen from dependence on other ransomware ecosystems into an independent partnership program, expanding its operational autonomy and affil...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware Activity
H score40
First: 08.06.2026 13:27
Last: 08.06.2026 13:27
Sources 1
About this happening:
The deployment of BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD on Linux appliances expanded operator access with backdoor, proxying, remote command ex...
BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment
Malware ActivityAbout this happening: The deployment of BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD on Linux appliances expanded operator access with backdoor, proxying, remote command ex...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware Activity
H score16
First: 05.06.2026 21:09
Last: 05.06.2026 21:09
Sources 1
About this happening:
The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy...
UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity
Malware ActivityAbout this happening: The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy...
Major South Korean electronics manufacturer hit by data theft breach
Incident
H score13
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A major South Korean electronics manufacturer suffered a week-long intrusion in February 2026, giving attackers time to conduct reconnaissance, credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A major South Korean electronics manufacturer suffered a week-long intrusion in February 2026, giving attackers time to conduct reconnaissance, credential theft*...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
H score37
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operatio...
Timeline
-
16.07.2026 14:17 1 articles · 3h ago
Telemetry begins on compromised Taiwan host
Detection Ioc UpdateThe compromised host in Taiwan began reporting telemetry on May 12, 2026, establishing the earliest concrete date tied to the long-lived intrusion. The initial compromise path remained unknown at that point, even though the same machine was later associated with Daxin and Stupig.
Show sources
- Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor — thehackernews.com — 16.07.2026 14:17
-
16.07.2026 14:17 2 articles · 3h ago
Symantec and Carbon Black identify Daxin and Stupig on Taiwan host
Initial DisclosureSymantec and Carbon Black identified Daxin still operational on a compromised host in Taiwan in 2026 and found the same machine also infected with Stupig. Daxin uses hijacked legitimate TCP connections for encrypted command-and-control, while Stupig registers as a keyboard-layout provider so win32k.sys loads it into winlogon.exe at system startup and enables SYSTEM-level command execution before sign-in.
Show sources
- Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor — thehackernews.com — 16.07.2026 14:17
- Daxin Resurfaces in Taiwan Alongside Stupig Pre-Login SYSTEM Backdoor — thehackernews.com — 16.07.2026 14:17