Find notable cyber news and cases, enriched with sources, timelines, and signals.

Daxin and Stupig active on a Taiwan manufacturing host in 2026

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

The Daxin rootkit resurfaced on a compromised host in Taiwan in 2026, showing that the malware still maintains stealthy access inside a manufacturing network. The same machine also carried the Stupig backdoor, which can run commands as SYSTEM before sign-in. The pairing increases the risk of long-lived covert control and credential theft on the affected endpoint.

Related Happenings

Phantom Mantis shifts The Gentlemen into an independent ransomware partnership program

Threat Actor Meta
H score24 First: 11.06.2026 19:50 Last: 11.06.2026 19:50 Sources 1

About this happening: Phantom Mantis moved The Gentlemen from dependence on other ransomware ecosystems into an independent partnership program, expanding its operational autonomy and affil...

BRICKSTORM, PLENET, and AGENTPSD Linux appliance deployment

Malware Activity
H score40 First: 08.06.2026 13:27 Last: 08.06.2026 13:27 Sources 1

About this happening: The deployment of BRICKSTORM, PLENET (aka GRIMBOLT), and AGENTPSD on Linux appliances expanded operator access with backdoor, proxying, remote command ex...

UNC5221 Brickstorm, Plenet, and AgentPSD access-maintenance malware activity

Malware Activity
H score16 First: 05.06.2026 21:09 Last: 05.06.2026 21:09 Sources 1

About this happening: The Brickstorm malware set enabled UNC5221 / VerdantBamboo to keep long-term access inside victim infrastructure, including Microsoft 365, raising the risk of stealthy...

Major South Korean electronics manufacturer hit by data theft breach

Incident
H score13 First: 14.05.2026 00:59 Last: 14.05.2026 00:59 Sources 1

About this happening: A major South Korean electronics manufacturer suffered a week-long intrusion in February 2026, giving attackers time to conduct reconnaissance, credential theft*...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The MuddyWater campaign used Microsoft Teams social engineering and a Chaos ransomware decoy to gain access, steal credentials, and establish persistence. The operatio...

Timeline

  1. 16.07.2026 14:17 1 articles · 3h ago

    Telemetry begins on compromised Taiwan host

    Detection Ioc Update

    The compromised host in Taiwan began reporting telemetry on May 12, 2026, establishing the earliest concrete date tied to the long-lived intrusion. The initial compromise path remained unknown at that point, even though the same machine was later associated with Daxin and Stupig.

    Show sources
  2. 16.07.2026 14:17 2 articles · 3h ago

    Symantec and Carbon Black identify Daxin and Stupig on Taiwan host

    Initial Disclosure

    Symantec and Carbon Black identified Daxin still operational on a compromised host in Taiwan in 2026 and found the same machine also infected with Stupig. Daxin uses hijacked legitimate TCP connections for encrypted command-and-control, while Stupig registers as a keyboard-layout provider so win32k.sys loads it into winlogon.exe at system startup and enables SYSTEM-level command execution before sign-in.

    Show sources