VYPR
researchPublished Jul 16, 2026· 1 source

New Windows Backdoor 'Stupig' Allows SYSTEM Shell Access via Login Screen Trick

A stealthy Windows backdoor named Backdoor.Stupig has emerged, enabling attackers to gain SYSTEM shell access by typing a specific username prefix at the Windows login screen.

A sophisticated and stealthy Windows backdoor, dubbed Backdoor.Stupig, has been discovered operating in tandem with the Daxin espionage tool, a combination that suggests a prolonged and targeted cyber operation. The newly identified implant presents a unique threat by allowing an attacker with console access to obtain SYSTEM-level command shell privileges simply by typing a specially crafted username at the Windows login screen, bypassing normal security checks.

The discovery was made on a compromised system belonging to a Taiwan-based subsidiary of a multinational high-tech manufacturer, a target with significant strategic value. Investigators suspect the initial compromise may have originated from an outdated Digiwin single sign-on portal that was still utilizing vulnerable versions of the Java Development Kit from 2009-2011. Researchers from Symantec identified both Daxin and the previously unknown Backdoor.Stupig on the same host during an investigation in May 2026, noting that while a direct code link hasn't been confirmed, their co-occurrence points to a coordinated campaign.

The primary danger of Backdoor.Stupig lies in its ability to execute malicious code before a standard user session even begins. This pre-boot execution environment is often less monitored by organizations, providing attackers with a significant advantage. By disguising itself as a legitimate keyboard support component, it registers as a keyboard-layout provider. This causes Windows to load the malicious DLL into the critical winlogon.exe process during startup, while still passing normal keyboard data to maintain the appearance of proper functionality.

Once loaded, the backdoor actively monitors the login screen for usernames that begin with the specific prefix "stupig." If an attacker enters only this prefix, a SYSTEM command prompt is launched directly on the secure desktop. If additional text follows the prefix, that text is interpreted and executed as a command, also with SYSTEM privileges. The backdoor then allows the legitimate Windows logon process to proceed, returning a standard failed-login response, which can mask the creation of the privileged shell from typical security logs.

Beyond its login screen trickery, Stupig also employs hooks within Windows functions related to authentication and credential handling. This capability allows it to potentially intercept sensitive information, including usernames and passwords, entered during the sign-in process directly within the winlogon.exe process. While a companion file named msyun.dll was referenced, it was not recovered, leaving the full capabilities of the implant partially unknown.

The Daxin backdoor, which has been known since 2022 but with samples dating back to 2013, operates at the kernel level. It employs a stealthy command-and-control method, monitoring inbound TCP traffic for specific patterns rather than making overt outbound connections. This allows it to blend malicious traffic with normal network activity and relay commands through multiple compromised devices, potentially enabling access to air-gapped or isolated network segments.

Given the long persistence of Daxin and the stealthy nature of Stupig, organizations are urged to take immediate action. This includes replacing unsupported Java installations, reviewing exposed single sign-on systems, and scrutinizing keyboard-layout registrations and DLLs loaded by winlogon.exe. Investigating failed login attempts with unusual stupig-prefixed names and hunting for the provided indicators of compromise across Windows systems are also critical steps. Furthermore, validating systems that lack historical telemetry is essential, as dormant implants may only surface with improved monitoring.

This discovery highlights the evolving tactics of advanced persistent threat (APT) groups, who are increasingly leveraging sophisticated pre-boot execution vulnerabilities and stealthy implants to maintain long-term access and conduct espionage. The combination of Daxin and Stupig underscores the need for continuous vigilance and robust endpoint security monitoring, particularly for systems with legacy components or outdated software.

Synthesized by Vypr AI