US warns Chinese hackers have their ‘most advanced’ backdoor yet

A white padlock on a dark digital background.
(Image credit:

An “ancient” Chinese malware, capable of avoiding advanced threat detection solutions, has been spotted in the wild, once again, researchers are saying.

Experts from Symantec have published a report (opens in new tab) detailing their findings on Daxin, “the most advanced piece of malware” the company says it has ever had the chance to observe.

The team claims that Daxin is a stealthy backdoor designed to gain control over, and exfiltrate data from, endpoints (opens in new tab) on tough-to-break corporate networks.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

Finally spotted

According to the report, Daxin was created by Slug, also known as Owlproxy, a threat actor with ties to the Chinese government. It was first spotted in 2013, and even a decade ago, it was already capable of avoiding detection from state-of-the-art antivirus (opens in new tab) solutions.

It lay dormant until late 2019 (or security pros were just unable to detect it, which is also highly likely), when it re-emerged, targeting telecommunication, transportation, and manufacturing companies, all throughout 2020 and 2021. 

What makes Daxin stand out from other malware is its atypical form and the way it hides its communications with the C2 server. The malware is described as a Windows kernel driver that looks for patterns in network traffic.

Once it spots a pattern, it will hijack the legitimate TCP connection and use it to send out data and receive further instructions. 

"Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions," Symantec says.

"Daxin’s use of hijacked TCP connections affords a high degree of stealth to its communications and helps to establish connectivity on networks with strict firewall rules. It may also lower the risk of discovery by SOC analysts monitoring for network anomalies." 

Another thing that makes Daxin particularly dangerous is its ability to set up a complex communication channel through multiple endpoints, enabling persistence on highly guarded networks.

Symantec did not say the names of organizations the group was targeting this time around.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.