wantd.sys
Daxin rootkit -- WAN Transport Driver variant
wantd.sys is a variant of Daxin, the sophisticated state-sponsored rootkit backdoor disclosed by Symantec (Broadcom) in February 2022. Its internal description is "WAN Transport Driver," chosen to blend in among legitimate Windows networking components. It was signed with a certificate from Anhua Xinda (Beijing) Technology Co., Ltd., the same certificate previously used by the XPath rootkit targeting Central Asian entities around 2017.
Daxin hijacks legitimate TCP connections for command-and-control communication, builds mesh relay networks across compromised systems (including air-gapped networks), and provides rootkit-level persistence. It was designed for long-duration espionage against hardened government and critical infrastructure networks. The earliest known sample dates to 2013; deployments continued through at least November 2021.
See the daxin_blank.sysDriverdaxin_blank.sysDaxin rootkit backdoorOpen plate → entry for more context. Not a legitimate vendor driver. Presence indicates a targeted intrusion.
wantd.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.
Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.
Vera Project. “wantd.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/wantd-sys
