← All drivers
malicious
Driver

wantd.sys

Daxin rootkit -- WAN Transport Driver variant

From Unknown state-sponsored threat actor (signed by Anhua Xinda)
Part of the Daxin family
Status
On a known malicious list
Known variants
1 distinct hashes
Field notes

wantd.sys is a variant of Daxin, the sophisticated state-sponsored rootkit backdoor disclosed by Symantec (Broadcom) in February 2022. Its internal description is "WAN Transport Driver," chosen to blend in among legitimate Windows networking components. It was signed with a certificate from Anhua Xinda (Beijing) Technology Co., Ltd., the same certificate previously used by the XPath rootkit targeting Central Asian entities around 2017.

Daxin hijacks legitimate TCP connections for command-and-control communication, builds mesh relay networks across compromised systems (including air-gapped networks), and provides rootkit-level persistence. It was designed for long-duration espionage against hardened government and critical infrastructure networks. The earliest known sample dates to 2013; deployments continued through at least November 2021.

See the daxin_blank.sysDriverdaxin_blank.sysDaxin rootkit backdoorOpen plate → entry for more context. Not a legitimate vendor driver. Presence indicates a targeted intrusion.

What the record shows

wantd.sys is listed as malicious on the public LOLDrivers project. One distinct binary hash matching this filename is on record.

What this means, plainly
Presence is not proof of misuse. This filename matches a public malicious list. Vera notes it as evidence on a record; the meaning still belongs to the people with the context.
Source

Status data comes from the public LOLDrivers project, a community-curated registry of drivers known to be vulnerable or malicious. The snapshot Vera uses was refreshed July 10, 2026. CVE links go to the NIST National Vulnerability Database.

Cite this entry

Vera Project. “wantd.sys.” Vera Field Guide (Driver). The Vera Project. https://www.veraproject.xyz/field-guide/drivers/wantd-sys