FortiGuard Labs is aware of a newly discovered backdoor dubbed Daxin. Discovered by Symantec, this backdoor allows an attacker to gather and perform various command and control actions and data exfiltration on victim machines. Because of our partnership with the Cyber Threat Alliance, we were provided with IOCs to create Fortinet protections in advance so that it would be ready for today’s announcement.What separates this backdoor from many others is that Daxin is a Windows kernel level driver, also referred to as rootkits. Kernel level rootkits operate at ring 0, which allows them to operate at
the highest privileges of the operating system with impunity. What makes this threat dangerous and very effective is that it is able to leverage existing services and utilize them to perform whatever is needed without raising any suspicion by network administrators and or endpoint security software. Daxin does not contain any unique capabilities from other backdoors; however, besides its ability to run at kernel level, Daxin can also intercept TCP/IP connections in real time for further evasion. Further communications noted were the use of a custom TCP/IP stack to communicate in multiple nodes on highly secured networks.This backdoor has been attributed to state sponsored threat actors of China where targets are organizations that are of interest to the Chinese government.What Operating Systems Were Targeted?Windows operating systems.What is the Likelihood of Exploitation?Low. This is due to the attacks observed being focused on the specific interests by the threat actors behind Daxin, and not as part of a widespread attack.Is this Limited to Targeted Attacks?Yes, all attacks observed were limited to state sponsored targets. This included governmental organizations of interest, telecommunications, transportation, and manufacturing sectors as well.What is the Status of Coverage?Customers running the latest AV definitions are protected by the following signatures:W32/Agent.FF56!tr.bdrW32/Backdoor.DAXIN!trW32/PossibleThreatW64/Agent.FF56!tr.bdrW64/Backdoor.DAXIN!trW64/Agent.QWHWSZ!trMalicious_Behavior.SBW32/Exforel.B!tr.bdrDx.BG3D!trW64/Agent.WT!trW32/PossibleThreat
More Stories
apache-commons-beanutils-1.9.4-39.fc41
FEDORA-2025-3eb7c0066f Packages in this update: apache-commons-beanutils-1.9.4-39.fc41 Update description: Fix improper access control vulnerability Resolves: CVE-2025-48734 Read More
apache-commons-beanutils-1.9.4-39.fc42
FEDORA-2025-48e8e5f8ed Packages in this update: apache-commons-beanutils-1.9.4-39.fc42 Update description: Fix improper access control vulnerability Resolves: CVE-2025-48734 Read More
USN-7550-7: Linux kernel (NVIDIA Tegra IGX) vulnerabilities
Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. This...
chromium-137.0.7151.103-1.el10_1
FEDORA-EPEL-2025-73b10a6316 Packages in this update: chromium-137.0.7151.103-1.el10_1 Update description: Update to 137.0.7151.103 CVE-2025-5958: Use after free in Media CVE-2025-5959: Type Confusion...
chromium-137.0.7151.103-1.el9
FEDORA-EPEL-2025-549cb45f1c Packages in this update: chromium-137.0.7151.103-1.el9 Update description: Update to 137.0.7151.103 CVE-2025-5958: Use after free in Media CVE-2025-5959: Type Confusion...
mediawiki-1.43.1-1.fc42
FEDORA-2025-01bd4e4d20 Packages in this update: mediawiki-1.43.1-1.fc42 Update description: https://lists.wikimedia.org/hyperkitty/list/mediawiki-announce@lists.wikimedia.org/thread/OXIGQIHBL26HFKG6TT5SWSH7K7W6RO4H/ https://phabricator.wikimedia.org/T382326 Read More