Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
Home/CyberSecurity News/DAEMON Tools Software Supply Chain Attack Delivers Malware
CyberSecurity News

DAEMON Tools Software Supply Chain Attack Delivers Malware

Key Takeaways A supply chain attack compromised official DAEMON Tools installers, distributing malware to users globally. The attack, active since April 8, 2026, delivered initial...

Jennifer sherman
Jennifer sherman
May 5, 2026 4 Min Read
65 0

Key Takeaways

  • A supply chain attack compromised official DAEMON Tools installers, distributing malware to users globally.
  • The attack, active since April 8, 2026, delivered initial information-gathering payloads to thousands of systems across over 100 countries.
  • Highly targeted secondary payloads, including a sophisticated QUIC RAT, were deployed to high-value government, scientific, manufacturing, and retail entities in Russia, Belarus, and Thailand.
  • The compromised installers, versions 12.5.0.2421 to 12.5.0.2434, were signed with legitimate digital certificates, making detection challenging.
  • Users are urged to scrutinize endpoints for indicators of compromise and implement robust monitoring.

A sophisticated supply chain attack, first identified in early May 2026, has successfully compromised DAEMON Tools, a widely utilized disk image mounting software. This breach enabled threat actors to distribute malicious payloads to users across the globe through official channels.

Table Of Content

  • Key Takeaways
  • DAEMON Tools Software Compromised
  • Minimalistic Backdoor and QUIC RAT Deployment
  • What You Should Do
  • Indicators of Compromise

Security researchers at Kaspersky determined that official installers, downloaded directly from the legitimate DAEMON Tools website, were trojanized beginning April 8, 2026.

These compromised installers, encompassing versions 12.5.0.2421 through 12.5.0.2434, bore valid digital certificates belonging to the software’s developer, AVB Disc Soft. While thousands of attempted infections were recorded in over 100 countries, the threat actors exhibited a highly selective approach to post-compromise activity, targeting specific high-value entities.

Analysis of artifacts within the malicious implants suggests the involvement of a Chinese-speaking threat actor, though definitive attribution remains pending. Following the discovery, AVB Disc Soft was promptly notified to facilitate immediate remediation efforts.

DAEMON Tools Software Compromised

The attack chain initiates when specific compromised binaries within the software installation directory—namely DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—are executed.

Daemon Tools Lite Download page
Daemon Tools Lite Download page

Upon system startup, if these files are launched, a backdoor embedded within the C Runtime initialization code activates. This backdoor operates in a dedicated thread, initiating HTTP GET requests to a malicious command-and-control (C2) server designed to typosquat the legitimate DAEMON Tools domain.

This C2 server, registered just over a week before the campaign’s inception, responds with shell commands. These commands leverage PowerShell to download and execute a first-stage payload.

The initial payload functions as an advanced information collector, meticulously gathering extensive system profiling data. This includes MAC addresses, hostnames, lists of running processes, installed software, and system locales.

Notably, strings written in Chinese were discovered embedded within this .NET executable, offering early indications regarding the potential origin of the attackers.

Telemetry data reveals that the threat actors meticulously filtered the vast volume of collected profiling data to identify and select high-value targets for subsequent exploitation.

Out of thousands of initial infections, only approximately a dozen machines, primarily belonging to government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand, received a secondary payload.

This second-stage payload is a minimalistic backdoor, delivered via a shellcode loader that employs RC4 encryption to execute the malicious code directly in memory, minimizing its footprint on disk.

Minimalistic Backdoor and QUIC RAT Deployment

Intriguingly, Kaspersky researchers observed misspellings such as “chiper” and “rypto.dll” in the deployment commands for the secondary payload. This detail suggests that this phase of the attack involved hands-on, manual execution by the threat actors.

For the most critical targets, this minimalistic backdoor served as a stepping stone for an even more sophisticated implant, dubbed QUIC RAT.

QUIC RAT was identified exclusively on the network of a Russian educational institution. It is a highly obfuscated C++ backdoor, statically linked with the WolfSSL library, demonstrating advanced capabilities.

This advanced malware supports a broad spectrum of communication protocols, including HTTP/3 and QUIC. It actively injects its payloads into core system processes like notepad.exe and conhost.exe to evade detection by security solutions.

The DAEMON Tools compromise underscores a significant escalation in software supply chain attacks observed throughout the first half of 2026. Following similar high-profile breaches involving eScan in January, Notepad++ in February, and CPU-Z in April, advanced threat actors are increasingly weaponizing trusted applications to bypass traditional perimeter defenses.

The DAEMON Tools incident required approximately one month to uncover, a detection timeline that mirrors the complexity of the 2023 3CX supply chain attack.

What You Should Do

  • Inspect Endpoints: Rigorously scrutinize any endpoints running DAEMON Tools for anomalous network connections or suspicious process executions originating on or after April 8, 2026.
  • Block Indicators of Compromise: Actively monitor for and block the information collector payload utilizing the SHA1 hash 2d4eb55b01f59c62c6de9aacba9b47267d398fe4. Furthermore, block all outbound communications to the typosquatted domain env-check.daemontools[.]cc and the hardcoded IP address 38.180.107[.]76.
  • Implement Zero Trust: Enforce Zero Trust architectures to minimize implicit trust and verify every access attempt, regardless of origin.
  • Enhance Endpoint Monitoring: Deploy and maintain comprehensive endpoint detection and response (EDR) solutions to detect and respond to sophisticated threats exploiting trusted software ecosystems.
  • Review and Update Software: Ensure all software, especially widely used utilities like DAEMON Tools, is obtained from verified sources and kept up-to-date with the latest security patches.

Indicators of Compromise

Type Indicator Notes
SHA1 — Infected Installer 9ccd769624de98eeeb12714ff1707ec4f5bf196d DAEMON Tools Lite v12.5.0.2421
SHA1 — Infected Installer 50d47adb6dd45215c7cb4c68bae28b129ca09645 DAEMON Tools Lite v12.5.0.2422
SHA1 — Infected Installer 0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 DAEMON Tools Lite v12.5.0.2423
SHA1 — Infected Installer 28b72576d67ae21d9587d782942628ea46dcc870 DAEMON Tools Lite v12.5.0.2424
SHA1 — Infected Installer 46b90bf370e60d61075d3472828fdc0b85ab0492 DAEMON Tools Lite v12.5.0.2430
SHA1 — Infected Installer 6325179f442e5b1a716580cd70dea644ac9ecd18 DAEMON Tools Lite v12.5.0.2431
SHA1 — Infected Installer bd8fbb5e6842df8683163adbd6a36136164eac58 DAEMON Tools Lite v12.5.0.2433
SHA1 — Infected Installer 15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 DAEMON Tools Lite v12.5.0.2434
SHA1 — Modified Binary 524d2d92909eef80c406e87a0fc37d7bb4dadc14 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 427f1728682ebc7ffe3300fef67d0e3cb6b62948 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 8e7eb0f5ac60dd3b4a9474d2544348c3bda48045 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 00e2df8f42d14072e4385e500d4669ec783aa517 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary aea55e42c4436236278e5692d3dcbcbe5fe6ce0b Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 0456e2f5f56ec8ed16078941248e7cbba9f1c8eb Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 9a09ad7b7e9ff7a465aa1150541e231189911afb Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 8d435918d304fc38d54b104a13f2e33e8e598c82 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Modified Binary 64462f751788f529c1eb09023b26a47792ecdc54 Trojanized DiscSoftBusServiceLite.exe
SHA1 — Payload 2d4eb55b01f59c62c6de9aacba9b47267d398fe4 Information collector (envchk.exe)
SHA1 — Payload 9dbfc23ebf36b3c0b56d2f93116abb32656c42e4 Minimalistic backdoor shellcode
SHA1 — Payload 295ce86226b933e7262c2ce4b36bdd6c389aaaef Minimalistic backdoor shellcode
File Path C:WindowsTempenvchk.exe Information collector drop path
File Path C:WindowsTempcdg.exe Shellcode loader drop path
File Path C:WindowsTempimp.tmp Shellcode payload drop path
File Path C:WindowsTemppiyu.exe Additional payload drop path
C2 Domain env-check.daemontools[.]cc Malicious C2, typosquats daemon-tools[.]cc
C2 IP Address 38.180.107[.]76 Hardcoded payload delivery server
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackBreachExploitSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Code of Conduct Phishing Targets 35,000 Users in AiTM Attack

Next Post

Education Sector Targeted by State-Sponsored Cyberattacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Critical Citrix Bleed Vulnerability Exploited for Ransomware Attacks
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us