Daxin is an advanced kernel-mode rootkit deployed by China-linked threat actors in highly targeted espionage campaigns. First documented by Symantec in early 2022, this sophisticated malware operates at the Windows kernel level and includes a custom TCP/IP stack designed to hijack legitimate network connections without detection. Unlike commodity malware that spreads widely, Daxin represents nation-state tooling reserved for high-value targets in government, defense, and critical infrastructure sectors. If you suspect Daxin on your system, you're likely dealing with a targeted intrusion requiring immediate professional intervention.
Threat Profile
| Threat Name | Daxin (DELIMEAT) |
|---|---|
| Threat Type | Kernel-mode rootkit / APT backdoor |
| Platform | Windows (WIN) |
| File Type | Windows PE executable (kernel driver) |
| First Documented | 2022 (campaigns dating to 2013) |
| Attribution | China-linked APT groups |
| Primary Targets | Government, defense, telecom, critical infrastructure |
| Distribution Method | Targeted deployment via prior compromise |
| Privilege Required | Administrator / SYSTEM (kernel driver installation) |
| Persistence Mechanism | Windows kernel driver service |
| Detection Aliases | Daxin, DELIMEAT (per threat intel providers) |
| Detection Difficulty | Extremely high (kernel-level stealth, custom network stack) |
How It Spreads
Daxin does not spread through conventional infection vectors like email phishing or malicious websites. It arrives on systems only after threat actors have already gained deep access to a target network through previous intrusions. The malware represents a second-stage or later-stage implant installed manually by sophisticated operators who have already compromised administrative credentials and bypassed initial security defenses.
Security researchers believe Daxin deployment follows multi-month reconnaissance campaigns where attackers map network topology, steal credentials, and identify the most strategic systems for long-term monitoring. The malware's complexity and operational security measures indicate it's reserved for targets where maintaining persistent, undetected access justifies significant development resources.
Typical deployment scenarios include:
- Supply chain compromise — installed via trojanized software updates or vendor access to managed services
- Credential theft follow-on — deployed after attackers harvest domain administrator passwords through tools like Mimikatz
- Remote code execution exploits — leveraging unpatched vulnerabilities in internet-facing servers, then moving laterally
- Physical access operations — installed by insiders or during interdiction of hardware in transit
- Living-off-the-land techniques — using legitimate Windows management tools (PsExec, WMI, PowerShell remoting) to deploy the driver across networks
What It Does On Your Machine
Once installed, Daxin operates as a legitimate-looking Windows kernel driver, loading at system boot with full access to hardware, memory, and all running processes. The malware's most distinctive capability is its custom TCP/IP network stack, which allows it to monitor and hijack existing network connections without creating new ones that would appear in standard network monitoring tools. When an operator needs to communicate with a Daxin-infected machine, they can "knock" on the connection by sending specially crafted packets to existing legitimate connections—the malware intercepts these packets, extracts commands, and responds through the same hijacked connection.
This connection hijacking makes network-based detection extraordinarily difficult. Security teams monitoring for suspicious outbound connections won't see Daxin traffic because it rides piggyback on normal business communications. The malware can commandeer connections to legitimate services like Windows updates, antivirus signature downloads, or routine cloud synchronization, blending its command-and-control traffic with expected network behavior.
Beyond stealth communications, Daxin provides attackers with a full-featured backdoor into compromised systems. Operators can execute arbitrary commands, exfiltrate files, deploy additional malware, and use the infected machine as a relay point to reach other systems on air-gapped or highly segmented networks. The malware includes sophisticated encrypted tunneling capabilities that allow attackers to "hop" through multiple infected machines, accessing systems that have no direct internet connection.
The malware's kernel-level operation grants it extraordinary stealth capabilities. It can hide files, registry keys, network connections, and even its own driver from security software and administrative tools. Most standard antivirus products scan userland applications but have limited visibility into kernel space where Daxin operates. Even kernel-aware security tools face challenges because Daxin can intercept and manipulate the system calls these tools use to gather information.
Manual Removal — Step by Step
Isolate the system immediately
Disconnect all network cables and disable Wi-Fi. If you're on a domain-joined corporate machine, physically isolate it before the malware can alert operators or spread laterally. Do not shut down—kernel drivers can execute cleanup routines on shutdown that delete forensic evidence. Keep the machine powered but isolated.
Boot to Windows Recovery Environment or external media
You cannot remove kernel-mode malware while Windows is running normally because the malware has full control over the operating system. Reboot to a Windows Recovery Environment USB drive or a Linux live CD (Ubuntu, Kali, or forensic distributions). This allows you to access the file system while the malware driver isn't loaded and protecting itself.
Mount the Windows system drive
From your recovery environment, mount the Windows installation drive (typically C:\). You'll need to navigate to the \Windows\System32\drivers\ directory where kernel drivers reside. Enable viewing of hidden and system files. Daxin typically uses innocuous names that mimic legitimate Windows components, making visual identification difficult without IOC intelligence.
Identify suspicious kernel drivers
Look for .sys files in the drivers folder with recent modification dates that don't correlate with Windows updates or legitimate software installations. Check digital signatures—legitimate Microsoft drivers are always signed. Compare file sizes and hashes against known-good system files using Microsoft's File Checksum Integrity Verifier or online repositories. Daxin samples typically range from 30-150KB and lack valid signatures or use stolen/forged certificates.
Export and delete registry service entries
From your recovery environment, load the SYSTEM registry hive (located at \Windows\System32\config\SYSTEM) using a registry editor. Navigate to ControlSet001\Services and look for entries matching suspicious drivers you identified. Export these keys for documentation, then delete them. Repeat for ControlSet002 and CurrentControlSet. Without these service entries, the driver won't load even if file remnants remain.
Remove the driver files
Delete all identified malicious .sys files from the \Windows\System32\drivers\ directory and any backup locations (\Windows\System32\driverstore\FileRepository\). Take ownership of files if deletion is blocked by permissions. Consider securely wiping these files rather than simple deletion if forensics isn't required, as kernel malware sometimes attempts recovery from unallocated space.
Scan with offline antivirus tools
Before rebooting to Windows, run comprehensive scans using bootable antivirus tools (Kaspersky Rescue Disk, Bitdefender Rescue CD, or Microsoft Defender Offline). These tools can detect rootkit signatures and behavioral patterns while the malware isn't actively defending itself. Update definitions before scanning if possible, though recognize that Daxin's targeted nature means many AV products lack specific signatures.
Check for additional persistence mechanisms
Examine scheduled tasks (\Windows\System32\Tasks\), WMI event subscriptions, and alternate data streams that might reinstall the driver. Search for executables or scripts with creation dates matching the driver installation. Daxin operators often deploy multiple persistence methods to survive individual component removal.
Verify clean boot and monitor
Reboot to Safe Mode with Networking first. Check that the malicious service doesn't appear in msconfig, services.msc, or autoruns. Monitor network connections using Wireshark or TCPView for unusual traffic patterns. If the system appears clean, boot normally but maintain isolation from production networks during a 48-hour observation period.
Consider full OS reinstallation (strongly recommended)
Given Daxin's sophistication and kernel-level access, manual cleanup cannot guarantee complete removal. The malware may have installed firmware-level persistence, modified system binaries, or deployed additional undetected implants. For high-security environments or systems handling sensitive data, the only certain remediation is formatting the drive, updating firmware, and clean-installing Windows from verified media.
Prevention
- Implement application whitelisting — Use Windows AppLocker or third-party solutions to allow only authorized drivers to load. Kernel drivers require code-signing enforcement; configure systems to reject unsigned or untrusted certificates.
- Enable Driver Signature Enforcement — Modern Windows versions include driver signature verification; ensure it's enabled in BIOS/UEFI settings and through Group Policy. Consider using Device Guard and Credential Guard on Windows 10/11 Enterprise to provide hypervisor-protected code integrity.
- Segment network access rigorously — Daxin's connection hijacking capabilities make flat networks extremely vulnerable. Implement zero-trust architecture with micro-segmentation, requiring authentication for all lateral movement. Air-gap truly critical systems from internet-connected networks.
- Monitor for privilege escalation attempts — Installing kernel drivers requires administrator rights. Deploy endpoint detection and response (EDR) tools that alert on privilege escalation attempts, unauthorized driver installations, and suspicious use of administrative tools like PsExec or WMI.
- Maintain comprehensive network visibility — While Daxin hijacks connections, anomalies in connection duration, packet sizes, or timing patterns may reveal its presence. Employ network behavior analytics that baseline normal traffic and flag statistical deviations even in legitimate connections.
- Patch aggressively and verify supply chains — Since Daxin arrives after initial compromise, preventing the first foothold is critical. Patch all internet-facing systems within 24-48 hours of vulnerability disclosure. Verify software integrity through hash checking and trusted distribution channels.
- Restrict administrative access severely — Limit which accounts have local administrator rights. Require multi-factor authentication for all administrative access. Use privileged access workstations (PAWs) for administrative tasks, never mixing admin credentials with day-to-day user activities.
- Deploy kernel-aware security tools — Standard antivirus won't catch kernel-mode rootkits. Invest in solutions with kernel-level visibility like GMER, TDSS Killer, or enterprise EDR platforms with memory analysis capabilities. Conduct regular memory forensics checks on critical systems to detect kernel-level anomalies.
Bring It In
Daxin isn't malware you stumbled into by accident. If you've discovered it on your system, you're dealing with a sophisticated intrusion that requires professional incident response—not just malware removal. Our team has experience with advanced persistent threats, rootkit forensics, and post-compromise system hardening. We'll conduct a thorough analysis to determine how the malware arrived, what data may have been accessed, and what other systems might be compromised. We'll also work with you to implement security controls that prevent reinfection and provide documentation you may need for legal, regulatory, or insurance purposes.
Located right here in Roswell at 1000 Alpharetta Street, Computer Repair Roswell specializes in complex malware incidents that go beyond standard virus removal. Whether you're a small business that's just discovered unauthorized access or a home user dealing with persistent system issues that might indicate advanced threats, we're here to help. Call us at (770) 637-1435 to schedule a consultation. For suspected Daxin infections, we recommend bringing the system in immediately rather than attempting remote diagnostics—physical isolation and forensic procedures require hands-on access to ensure nothing is missed.