← All drivers
malicious
Driver

ndislan.sys

Daxin rootkit -- MS LAN Driver variant

From Unknown state-sponsored threat actor
Part of the Daxin family
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

ndislan.sys is a variant of Daxin, the sophisticated state-sponsored rootkit backdoor disclosed by Symantec (Broadcom) in February 2022. Its internal description is "MS LAN Driver," chosen to masquerade as a legitimate Windows networking component. Like the wantd.sysDriverwantd.sysDaxin rootkit -- WAN Transport Driver variantOpen plate → variants, it provides kernel-level backdoor access with TCP connection hijacking and mesh relay networking for air-gapped environments.

See the daxin_blank.sysDriverdaxin_blank.sysDaxin rootkit backdoorOpen plate → entry for the full story. Not a legitimate vendor driver. Presence indicates a targeted intrusion.

What the record shows

ndislan.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “ndislan.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/ndislan-sys