A new cyber espionage tool, known as Daxin, has emerged as part of a sustained campaign attributed to threat actors linked to China, targeting governments and critical infrastructure since at least 2013. This sophisticated backdoor has been identified by Broadcom’s Symantec Threat Hunter team, who described it as capable of facilitating diverse communications and information gathering efforts focused on sectors such as telecommunications, transportation, and manufacturing, all of which hold significant strategic interest for China.
According to an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Daxin is categorized as an advanced rootkit backdoor featuring complex command-and-control (C2) functionalities. These allow remote actors to interact with secure devices that are not directly connected to the internet, thereby creating a stealthy method of data exfiltration without raising alarms.
The Daxin implant utilizes a Windows kernel driver to establish a sophisticated communications channel that enables it to operate covertly. Rather than launching its own network services, Daxin cunningly exploits legitimate TCP/IP services running on the infected systems. This tactical approach blends the malware’s communications with normal network traffic, allowing it to receive commands from remote sources while remaining undetected.
Notably, researchers have likened the capabilities of Daxin to those of Regin, a well-known malware toolkit attributed to the U.S. National Security Agency (NSA) for espionage activities back in 2014. One of the distinct characteristics of Daxin is its lack of noticeable network traffic, which is indicative of its stealthy operation. Furthermore, Daxin can relay commands across a network of infected machines, effectively establishing a “multi-node communications channel” that permits continuous access to compromised systems over extended periods.
While incidents involving Daxin have recently been traced back to November 2021, Symantec has found similarities between Daxin’s code and that of an earlier malware variant, Exforel (also known as Zala), suggesting a possible connection between the two or a shared developer lineage.
The Daxin campaign has not been precisely linked to any single perpetrator. However, the timeline of these attacks indicates that systems compromised by Daxin align with other Chinese espionage tools, such as Slug. An instance included the simultaneous deployment of Daxin and Owprox malware on a tech company’s system in May 2020.
Researchers assert that Daxin represents the pinnacle of malware sophistication associated with Chinese actors, designed to penetrate fortified networks effectively. Based on its capabilities and operational methodology, Daxin seems tailored for targeting resilient systems, facilitating deep infiltration and data extraction without drawing undue attention.
This development comes shortly after Chinese cybersecurity entity Pangu Lab revealed a “top-tier” backdoor known as Bvp47, which had allegedly been employed by the NSA for over a decade. Reports indicate that it targeted around 287 organizations across 45 nations, predominantly located in regions such as China, Korea, Japan, Germany, Spain, India, and Mexico.
