DAEMON Tools Software Supply Chain Attack Delivers Malware
Key Takeaways A supply chain attack compromised official DAEMON Tools installers, distributing malware to users globally. The attack, active since April 8, 2026, delivered initial...
Key Takeaways
- A supply chain attack compromised official DAEMON Tools installers, distributing malware to users globally.
- The attack, active since April 8, 2026, delivered initial information-gathering payloads to thousands of systems across over 100 countries.
- Highly targeted secondary payloads, including a sophisticated QUIC RAT, were deployed to high-value government, scientific, manufacturing, and retail entities in Russia, Belarus, and Thailand.
- The compromised installers, versions 12.5.0.2421 to 12.5.0.2434, were signed with legitimate digital certificates, making detection challenging.
- Users are urged to scrutinize endpoints for indicators of compromise and implement robust monitoring.
A sophisticated supply chain attack, first identified in early May 2026, has successfully compromised DAEMON Tools, a widely utilized disk image mounting software. This breach enabled threat actors to distribute malicious payloads to users across the globe through official channels.
Table Of Content
Security researchers at Kaspersky determined that official installers, downloaded directly from the legitimate DAEMON Tools website, were trojanized beginning April 8, 2026.
These compromised installers, encompassing versions 12.5.0.2421 through 12.5.0.2434, bore valid digital certificates belonging to the software’s developer, AVB Disc Soft. While thousands of attempted infections were recorded in over 100 countries, the threat actors exhibited a highly selective approach to post-compromise activity, targeting specific high-value entities.
Analysis of artifacts within the malicious implants suggests the involvement of a Chinese-speaking threat actor, though definitive attribution remains pending. Following the discovery, AVB Disc Soft was promptly notified to facilitate immediate remediation efforts.
DAEMON Tools Software Compromised
The attack chain initiates when specific compromised binaries within the software installation directory—namely DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—are executed.

Upon system startup, if these files are launched, a backdoor embedded within the C Runtime initialization code activates. This backdoor operates in a dedicated thread, initiating HTTP GET requests to a malicious command-and-control (C2) server designed to typosquat the legitimate DAEMON Tools domain.
This C2 server, registered just over a week before the campaign’s inception, responds with shell commands. These commands leverage PowerShell to download and execute a first-stage payload.
The initial payload functions as an advanced information collector, meticulously gathering extensive system profiling data. This includes MAC addresses, hostnames, lists of running processes, installed software, and system locales.
Notably, strings written in Chinese were discovered embedded within this .NET executable, offering early indications regarding the potential origin of the attackers.
Telemetry data reveals that the threat actors meticulously filtered the vast volume of collected profiling data to identify and select high-value targets for subsequent exploitation.
Out of thousands of initial infections, only approximately a dozen machines, primarily belonging to government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand, received a secondary payload.
This second-stage payload is a minimalistic backdoor, delivered via a shellcode loader that employs RC4 encryption to execute the malicious code directly in memory, minimizing its footprint on disk.
Minimalistic Backdoor and QUIC RAT Deployment
Intriguingly, Kaspersky researchers observed misspellings such as “chiper” and “rypto.dll” in the deployment commands for the secondary payload. This detail suggests that this phase of the attack involved hands-on, manual execution by the threat actors.
For the most critical targets, this minimalistic backdoor served as a stepping stone for an even more sophisticated implant, dubbed QUIC RAT.
QUIC RAT was identified exclusively on the network of a Russian educational institution. It is a highly obfuscated C++ backdoor, statically linked with the WolfSSL library, demonstrating advanced capabilities.
This advanced malware supports a broad spectrum of communication protocols, including HTTP/3 and QUIC. It actively injects its payloads into core system processes like notepad.exe and conhost.exe to evade detection by security solutions.
The DAEMON Tools compromise underscores a significant escalation in software supply chain attacks observed throughout the first half of 2026. Following similar high-profile breaches involving eScan in January, Notepad++ in February, and CPU-Z in April, advanced threat actors are increasingly weaponizing trusted applications to bypass traditional perimeter defenses.
The DAEMON Tools incident required approximately one month to uncover, a detection timeline that mirrors the complexity of the 2023 3CX supply chain attack.
What You Should Do
- Inspect Endpoints: Rigorously scrutinize any endpoints running DAEMON Tools for anomalous network connections or suspicious process executions originating on or after April 8, 2026.
- Block Indicators of Compromise: Actively monitor for and block the information collector payload utilizing the SHA1 hash 2d4eb55b01f59c62c6de9aacba9b47267d398fe4. Furthermore, block all outbound communications to the typosquatted domain env-check.daemontools[.]cc and the hardcoded IP address 38.180.107[.]76.
- Implement Zero Trust: Enforce Zero Trust architectures to minimize implicit trust and verify every access attempt, regardless of origin.
- Enhance Endpoint Monitoring: Deploy and maintain comprehensive endpoint detection and response (EDR) solutions to detect and respond to sophisticated threats exploiting trusted software ecosystems.
- Review and Update Software: Ensure all software, especially widely used utilities like DAEMON Tools, is obtained from verified sources and kept up-to-date with the latest security patches.
Indicators of Compromise
| Type | Indicator | Notes |
|---|---|---|
| SHA1 — Infected Installer | 9ccd769624de98eeeb12714ff1707ec4f5bf196d | DAEMON Tools Lite v12.5.0.2421 |
| SHA1 — Infected Installer | 50d47adb6dd45215c7cb4c68bae28b129ca09645 | DAEMON Tools Lite v12.5.0.2422 |
| SHA1 — Infected Installer | 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 | DAEMON Tools Lite v12.5.0.2423 |
| SHA1 — Infected Installer | 28b72576d67ae21d9587d782942628ea46dcc870 | DAEMON Tools Lite v12.5.0.2424 |
| SHA1 — Infected Installer | 46b90bf370e60d61075d3472828fdc0b85ab0492 | DAEMON Tools Lite v12.5.0.2430 |
| SHA1 — Infected Installer | 6325179f442e5b1a716580cd70dea644ac9ecd18 | DAEMON Tools Lite v12.5.0.2431 |
| SHA1 — Infected Installer | bd8fbb5e6842df8683163adbd6a36136164eac58 | DAEMON Tools Lite v12.5.0.2433 |
| SHA1 — Infected Installer | 15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 | DAEMON Tools Lite v12.5.0.2434 |
| SHA1 — Modified Binary | 524d2d92909eef80c406e87a0fc37d7bb4dadc14 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 427f1728682ebc7ffe3300fef67d0e3cb6b62948 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 8e7eb0f5ac60dd3b4a9474d2544348c3bda48045 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 00e2df8f42d14072e4385e500d4669ec783aa517 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | aea55e42c4436236278e5692d3dcbcbe5fe6ce0b | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 0456e2f5f56ec8ed16078941248e7cbba9f1c8eb | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 9a09ad7b7e9ff7a465aa1150541e231189911afb | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 8d435918d304fc38d54b104a13f2e33e8e598c82 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Modified Binary | 64462f751788f529c1eb09023b26a47792ecdc54 | Trojanized DiscSoftBusServiceLite.exe |
| SHA1 — Payload | 2d4eb55b01f59c62c6de9aacba9b47267d398fe4 | Information collector (envchk.exe) |
| SHA1 — Payload | 9dbfc23ebf36b3c0b56d2f93116abb32656c42e4 | Minimalistic backdoor shellcode |
| SHA1 — Payload | 295ce86226b933e7262c2ce4b36bdd6c389aaaef | Minimalistic backdoor shellcode |
| File Path | C:WindowsTempenvchk.exe | Information collector drop path |
| File Path | C:WindowsTempcdg.exe | Shellcode loader drop path |
| File Path | C:WindowsTempimp.tmp | Shellcode payload drop path |
| File Path | C:WindowsTemppiyu.exe | Additional payload drop path |
| C2 Domain | env-check.daemontools[.]cc | Malicious C2, typosquats daemon-tools[.]cc |
| C2 IP Address | 38.180.107[.]76 | Hardcoded payload delivery server |
[.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.