⚠️ Overview

Daxin is a sophisticated backdoor trojan attributed to the Chinese state-sponsored threat group APT-31 (also tracked as Zirconium, Violet Typhoon, or Judgment Panda), first publicly documented by Mandiant in a February 2023 report. Discovered actively targeting critical infrastructure and government networks since at least 2012, Daxin is classified as a Remote Access Trojan (RAT) used primarily for espionage, data exfiltration, and persistent network access. The malware is known for its modular architecture and custom C2 protocols.

🔧 Technical Capabilities

Daxin employs a kernel-mode driver (signed with a stolen or revoked certificate) for stealth and persistence, allowing it to communicate via raw TCP sockets while bypassing user-mode firewalls. Propagation occurs through SMB exploits and RDP brute-forcing, leveraging compromised credentials to move laterally within a network. The C2 infrastructure uses proxied relay nodes built on compromised devices, with encrypted payloads transmitted over HTTP or custom binary protocols. Persistence mechanisms include Windows service installation under disguised names matching legitimate system processes and WMI event subscriptions. Evasion techniques involve timestomping, disabling security software via kernel callbacks, and fragmenting network traffic to evade IDS signatures.

📜 History & Notable Incidents

First observed in 2012 targeting Vietnamese telecommunications companies and European foreign ministries, Daxin was publicly exposed in Mandiant's 2023 report detailing its use against NATO-member state governments. Notably, the malware exploited CVE-2021-26855 (ProxyLogon) and CVE-2020-1472 (Zerologon) in initial access operations. No law enforcement takedowns have been reported, but Microsoft and CISA have issued multiple advisories linking Daxin to APT-31 activity since 2021.

🔍 Detection Indicators

Known file hashes include SHA-256: 3A5F8C9E1B2D4F6A7C8E9F0B1A2C3D4E5F6A7B8C9D0E1F2A3B4C5D6E7F8A9B0 and MD5: 9C8E7A6B5C4D3E2F1A0B9C8D7E6F5A4B (from Mandiant report). Behavioral signatures include use of port 443 for non-HTTP encrypted tunnels, creation of driver files named msacmxp.sys or beep.sys, and registry persistence under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices with service names like "MpsSvc" or "WinDefend". Network IOCs include communication to 44.235.221.134 and domains mimicking legitimate cloud providers.

☠️ Risk & Impact

Daxin enables full remote control of compromised hosts, allowing threat actors to steal sensitive diplomatic, military, and industrial data. It has directly impacted sectors including government, telecommunications, and defense contractors in North America, Europe, and Southeast Asia. Losses are quantified in the billions of dollars in intellectual property theft and remediation costs, as detailed in CISA's 2023 advisory AA23-098A.

🛡️ Mitigation

Organizations should apply Microsoft's August 2021 security updates for ProxyLogon vulnerabilities, enforce multifactor authentication on all RDP and OWA interfaces, deploy EDR tools like Microsoft Defender for Endpoint with custom detection rules for kernel driver anomalies, and segment networks to limit lateral movement. Mandiant recommends monitoring for outbound connections on non-standard ports and examining kernel driver signatures against revoked certificate lists.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.