DAEMON Tools Supply Chain Attack Exposes Thousands to Malware via Compromised Installers
A significant supply chain attack has recently come to light, targeting DAEMON Tools software. This incident has compromised installers to deliver malicious payloads, as revealed by cybersecurity firm Kaspersky. The implications of this breach extend beyond immediate technical concerns, raising questions about software trust and security protocols.
Overview of the Attack
Kaspersky’s investigation indicates that the compromised installers have been available since April 8, 2026. Versions affected include 12.5.0.2421 to 12.5.0.2434, all distributed from the official DAEMON Tools website and signed with the developers’ digital certificates. While DAEMON Tools is also offered for Mac, Kaspersky confirmed that only the Windows version has been compromised. The ongoing nature of the supply chain attack has prompted notifications to AVB Disc Soft, the software’s developer.
Three specific components of DAEMON Tools have been identified as tampered with:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
Each time one of these binaries is executed, typically during system startup, an implant activates on the infected host. This implant is designed to send an HTTP GET request to an external server, “env-check.daemontools[.]cc,” which was registered on March 27, 2026. The server responds with a shell command executed through the “cmd.exe” process.
Technical Details of the Malicious Payload
The shell command facilitates the download and execution of several malicious payloads, including:
- envchk.exe: A .NET executable that gathers extensive system information.
- cdg.exe and cdg.tmp: The former acts as a shellcode loader, decrypting the latter’s contents and launching a minimalist backdoor. This backdoor contacts a remote server to download files, execute shell commands, and run shellcode payloads in memory.
Kaspersky’s telemetry data has recorded thousands of infection attempts involving DAEMON Tools, affecting individuals and organizations across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor has only been delivered to a select few hosts, indicating a targeted approach.
Targeted Impact and Broader Implications
The systems that received the follow-on malware are linked to various sectors, including retail, scientific research, government, and manufacturing, particularly in Russia, Belarus, and Thailand. One of the payloads delivered via the backdoor is a remote access trojan known as QUIC RAT, which has been documented in use against a single victim: an educational institution in Russia.
Kaspersky noted that the method of deploying the backdoor to a limited number of infected machines suggests a deliberate and targeted infection strategy. The intent behind this operation—whether for cyberespionage or high-stakes data theft—remains ambiguous.
The malware supports multiple command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It also possesses capabilities to inject payloads into legitimate processes like “notepad.exe” and “conhost.exe.”
Attribution and Context
While the activity has not been definitively linked to any known threat actor or group, preliminary analysis suggests involvement from a Chinese-speaking adversary based on the artifacts observed. This incident is part of a troubling trend in software supply chain attacks, which have escalated in frequency and sophistication in 2026. Notable breaches earlier this year include incidents involving eScan, Notepad++, and CPUID.
Kucherin, a senior security researcher at Kaspersky GReAT, emphasized that such compromises bypass traditional perimeter defenses, as users tend to trust digitally signed software from official vendors. The DAEMON Tools attack went undetected for nearly a month, indicating the sophistication of the threat actor and their advanced capabilities.
Given the complexity of the breach, Kaspersky recommends that organizations isolate machines running DAEMON Tools and conduct thorough security sweeps to mitigate further risks.
Developer Response
In response to the breach, a representative from AVB Disc Soft acknowledged awareness of the situation and stated that they are actively investigating the matter. The spokesperson highlighted that the team is prioritizing the issue and is working to assess and address potential risks. They committed to providing updates as more verified information becomes available.
For further insights into the implications of this attack and other cybersecurity developments, refer to the original reporting source: thehackernews.com.
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
