{"id":14343,"date":"2026-07-16T10:04:17","date_gmt":"2026-07-16T10:04:17","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/16\/hackers-can-type-a-secret-username-at-the-windows-login-screen-to-open-a-system-shell\/"},"modified":"2026-07-16T10:04:17","modified_gmt":"2026-07-16T10:04:17","slug":"hackers-can-type-a-secret-username-at-the-windows-login-screen-to-open-a-system-shell","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/16\/hackers-can-type-a-secret-username-at-the-windows-login-screen-to-open-a-system-shell\/","title":{"rendered":"Hackers Can Type a Secret Username at the Windows Login Screen to Open a SYSTEM Shell"},"content":{"rendered":"<p>    Hackers Can Type a Secret Username at the Windows Login Screen to Open a SYSTEM Shell<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A stealthy Windows backdoor has resurfaced alongside Daxin, a sophisticated espionage tool previously tied to China-linked activity. <\/p>\n<p class=\"wp-block-paragraph\">The newly documented implant lets an intruder type a special username at the Windows sign-in screen and, in some cases, immediately open a command shell with the system\u2019s highest privileges.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The activity was discovered on a compromised computer at a Taiwan-based subsidiary of a multinational high-tech manufacturer. <\/p>\n<p class=\"wp-block-paragraph\">Investigators believe the initial foothold may have come through an outdated Digiwin single sign-on portal that still used Java Development Kit versions released between 2009 and 2011. Its target has strategic value to China.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Researchers from Symantec identified Daxin and the previously unknown Backdoor.Stupig on the same host during an investigation in May 2026. <\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.security.com\/threat-intelligence\/daxin-returns-stupig\" data-type=\"link\" data-id=\"https:\/\/www.security.com\/threat-intelligence\/daxin-returns-stupig\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Symantec said in a report<\/a> shared with Cyber Security News (CSN) that the combination suggests a long-running operation, though a direct code-level link between the two tools has not been confirmed.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The case matters because the backdoor operates before a normal user session begins, where many organisations have limited visibility. <\/p>\n<p class=\"wp-block-paragraph\">Its design can give an attacker command execution as SYSTEM, Windows\u2019 most powerful local account, while also creating an opportunity to intercept credentials entered during the sign-in process. <\/p>\n<p class=\"wp-block-paragraph\">Since it is loaded by a trusted Windows component, routine endpoint checks may not immediately distinguish it from legitimate keyboard support.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-hackers-can-type-a-secret-username-at-the-windows-login-screen\" class=\"wp-block-heading\"><strong>Hackers Can Type a Secret Username at the Windows Login Screen<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Backdoor.Stupig disguises itself as part of Windows keyboard support rather than behaving like a conventional remote-access program. <\/p>\n<p class=\"wp-block-paragraph\">It registers as a keyboard-layout provider, causing <a href=\"https:\/\/cybersecuritynews.com\/hackers-employ-dll-side-loading\/\" data-type=\"post\" data-id=\"96308\" target=\"_blank\" rel=\"noreferrer noopener\">Windows to load the malicious DLL<\/a> into winlogon.exe during startup, while returning normal keyboard data so the device appears to work as expected.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Once active, the backdoor watches the logon screen for usernames beginning with\u00a0<code>stupig<\/code>. <\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiePYlEr24x8_Jd6DnnrGf9JuHpYfgaIMVbR9zfZf3QDuVQ8dIv_h-7cU72GnvxCiMk0DRO4OZH2TZ5_hzmabBA7YSn_M7jMpNdLaZhWTdhmv1mv0OgTAMbnNrxg1KGjZj0AReAzfRYMdhoYZimgvlJzDoQMTQsQRWbgsIeni9phIts-_sAKKuYF18kieE\/s1600\/Attack%2520chain%2520%28Source%2520-%2520Symantec%29.webp?ssl=1\" alt=\"Attack chain (Source - Symantec)\"><figcaption class=\"wp-element-caption\">Attack chain (Source \u2013 Symantec)<\/figcaption><\/figure>\n<\/div>\n<p class=\"wp-block-paragraph\">If the attacker enters only that prefix, it launches a SYSTEM command prompt on the secure desktop; if text follows the prefix, that text is executed as a command with the same level of access.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">The program then passes the request to the <a href=\"https:\/\/cybersecuritynews.com\/windows-event-log-analysis\/\" data-type=\"post\" data-id=\"10769\" target=\"_blank\" rel=\"noreferrer noopener\">legitimate Windows logon process<\/a>, which produces an ordinary failed-sign-in response. <\/p>\n<p class=\"wp-block-paragraph\">This means defenders may see an unusual failed username but no obvious logon audit anomaly showing that a privileged shell was created, making a simple screen-level test unusually valuable to an intruder with console access.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Stupig also places hooks in Windows functions used during authentication and credential handling, allowing it to capture information inside winlogon.exe. <\/p>\n<p class=\"wp-block-paragraph\">Investigators found a reference to a companion file named\u00a0<code>msyun.dll<\/code>, but that payload was not among the artifacts recovered from the affected environment. <\/p>\n<p class=\"wp-block-paragraph\">The researchers said Stupig does not match a known malware family in their similarity analysis, underscoring the value of checking unfamiliar authentication-time modules.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<h2 id=\"h-daxin-signals-enduring-espionage\" class=\"wp-block-heading\"><strong>Daxin Signals Enduring Espionage<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Daxin is a kernel-level Windows backdoor first exposed in 2022, although samples date to 2013. <\/p>\n<p class=\"wp-block-paragraph\">Rather than making a clear outbound connection to a control server, <a href=\"https:\/\/cybersecuritynews.com\/detecting-malicious-http-traffic\/\" data-type=\"post\" data-id=\"42355\" target=\"_blank\" rel=\"noreferrer noopener\">it monitors inbound TCP traffic<\/a> for specific patterns and takes over legitimate connections to carry encrypted instructions.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">That approach can blend malicious traffic into normal network activity and makes conventional monitoring less effective. <\/p>\n<p class=\"wp-block-paragraph\">Daxin can also relay commands through multiple compromised devices, potentially giving operators a route into isolated network areas that have no direct internet connection.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Both samples carried early-2013 compilation timestamps, while the affected system did not begin supplying telemetry until May 12, 2026. <\/p>\n<p class=\"wp-block-paragraph\">That gap, together with the group\u2019s history of quiet persistence, leaves open the possibility that the intrusion remained hidden for years and perhaps longer than a decade. <\/p>\n<p class=\"wp-block-paragraph\">The <a href=\"https:\/\/cybersecuritynews.com\/new-net-malware-hides-lokibot-malware\/\" data-type=\"post\" data-id=\"133703\" target=\"_blank\" rel=\"noreferrer noopener\">malware files were also detected<\/a> under different names, a change that appeared to follow the first detection event.<a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<p class=\"wp-block-paragraph\">Defenders should urgently replace unsupported Java installations and review exposed single sign-on systems, especially older Digiwin deployments. <\/p>\n<p class=\"wp-block-paragraph\">They should also examine keyboard-layout registrations and DLLs loaded by winlogon.exe, investigate failed logons using unusual\u00a0<code>stupig<\/code>-prefixed names, and hunt for the indicators below across Windows systems. <\/p>\n<p class=\"wp-block-paragraph\">Reviewing systems that lack historical telemetry is equally important, since dormant implants may only surface when monitoring improves. This includes validating all remaining legacy assets.<\/p>\n<p class=\"wp-block-paragraph\"><strong>Indicators of compromise (IoCs):-<\/strong><a href=\"https:\/\/ppl-ai-file-upload.s3.amazonaws.com\/web\/direct-files\/attachments\/11146061\/2491c78c-1ec9-435b-baa8-c06a361e9b5b\/Hackers-Can-Type-a-Secret-Username-at-the-Windows-Login-Screen-to-Open-a-SYSTEM-Shell.pdf?AWSAccessKeyId=ASIA2F3EMEYETZYA6664&amp;Signature=ueDkGcbQ9XiFB4SlNqctWZCKPjc%3D&amp;x-amz-security-token=IQoJb3JpZ2luX2VjEHYaCXVzLWVhc3QtMSJIMEYCIQDMmUkrzOAWpwt00DjGiziTrlyrDRye9XhdCfhBkGr%2FxgIhAJtJYtfy%2FRLjvn8WblV2CAZiIVpip09Vcf9X59L8vLsFKvMECD8QARoMNjk5NzUzMzA5NzA1IgzbvLDBQy23n2epk9wq0ARQq0YgUEzCyxHgAQAGcTyMmFIuiDFvwkurwxPcvfJCM5ALWTRCb%2ByQLiwlp%2BbHGI0aMtvLN1AsjKErXVVvK2zOHAog%2FQ9QauLcC51aOHsTCyiJobJMcosewq8zJ4i3OkBFR1Sjv17qhg%2FX18RbcZQKSCKo7jI0UdI8bgIuFyCYwuX1MNfzQui4Fl8XwGJ%2FGxMzj1Fy2uPJuzNt8svZa6kcQG%2Ba3DvbMPHXhYRMZ%2BJZ8gpRUh%2FYYmqv1Oz%2BtDiTdd6v91sASvWmMR76y00l%2BXowLiLI%2FxVh6OeYNRD5yI4N7upursFA9qN7cknk9k6dE2R2iK72YssPZHRKd%2BQNp3IzyTwf0bRn7C0Usfo90eS8d9fu27Fskn68GO0LxBylA3JT4FyNrIDXaJm3dEldiMdwdWrLjRtT3nM%2FYx0IHywwesp9%2FJ6QQLnMMOGl5J8XVmBcZeme38zamz9Gy%2FdXKhkOuSavtk3ITHFpy6txDJUt7leZphm0IRWhMgrR6dDcbNWFODWJLLdduxr9IlVxT0B87ZJ4ZmSZhyVPZN14KEEIf5WGT2GEI7gp%2BgLtRKR7floazmrdO5PzogOW753jR%2FJGTKDFpq8QwqXULVfYVU0eTIf8Tz%2BZPCHXI327G%2FzdO%2Fl4j9Vbym9MTYmmI9hxpbAWlmowl9xuXd1%2B9TNgvk16%2B6SWCn96x%2FwPpyFofqUt1uMHTANtJPVIKRU1iGiEL5ZJVUeVfoTzTT9jIQlfQHLsv8oz9OILQYj6l98LxMwWQ0iyphKW84B5rFu0CivOvHurML%2Fe4dIGOpcBuW%2BMw8S3tJj%2FaXSe1UFV7t2zFl6Opkmo%2B%2B35jDWyH%2B8rumZ2zvtxncYQCt6u1Bp7ibXsbGoL3%2BttIc9FXhzRLHplJofjehiAKfRXzoMHegbWMAj%2FQVmE1NQLvypDUN4xqFE3ilwgf9eaCVETM2gCpIXaw0OWJOp7eB3FUztcjnGQi75jzM7QBjT9vILpOEt32g6JTxQoqQ%3D%3D&amp;Expires=1784184082\" target=\"_blank\" rel=\"noreferrer noopener\"><\/a><\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">Type<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Indicator<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Description<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>SHA-256<\/td>\n<td><code>49c827cf48efb122a9d6fd87b426482b7496ccd4a2dbca31ebbf6b2b80c98530<\/code><\/td>\n<td>Backdoor.Daxin,\u00a0<code>srt64.sys<\/code>\n<\/td>\n<\/tr>\n<tr>\n<td>File name<\/td>\n<td><code>srt64.sys<\/code><\/td>\n<td>Backdoor.Daxin kernel-mode driver<\/td>\n<\/tr>\n<tr>\n<td>SHA-256<\/td>\n<td><code>5bb5cffda4647940919a185df37aab2aef71ca3010a6c1d05bdcc8bc8fb3af3f<\/code><\/td>\n<td>Backdoor.Stupig<\/td>\n<\/tr>\n<tr>\n<td>File name<\/td>\n<td><code>a.dll<\/code><\/td>\n<td>Backdoor.Stupig deployment name<\/td>\n<\/tr>\n<tr>\n<td>File name<\/td>\n<td><code>kbdus1.dll<\/code><\/td>\n<td>Backdoor.Stupig renamed deployment name<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p class=\"wp-block-paragraph\"><strong>Note:<\/strong>\u00a0<em>IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em><code><em>[.]<\/em><\/code><em>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong><strong><strong><strong><strong><strong><strong><strong><strong><strong>Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt;\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN With Your SOC\u00a0<\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Now<\/a><\/strong>.<\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/hackers-can-type-a-secret-username-at-the-windows-login-screen\/\">Hackers Can Type a Secret Username at the Windows Login Screen to Open a SYSTEM Shell<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Tushar Subhra Dutta<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/hackers-can-type-a-secret-username-at-the-windows-login-screen\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Can Type a Secret Username at the Windows Login Screen to Open a SYSTEM Shell A stealthy Windows backdoor has resurfaced alongside Daxin, a sophisticated espionage tool previously tied to China-linked activity. The newly documented implant lets an intruder type a special username at the Windows sign-in screen and, in some cases, immediately open [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,649],"tags":[130],"class_list":["post-14343","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-threats","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14343"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14343"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14343\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14343"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14343"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14343"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}