DAEMON Tools Supply Chain Attack
Cybersecurity researchers have uncovered a sophisticated supply chain attack involving DAEMON Tools installers. Threat actors successfully compromised official Windows installers distributed through the legitimate DAEMON Tools website, embedding malicious code into digitally signed software packages. Because the installers carried authentic developer certificates, the malware appeared trustworthy and easily bypassed conventional security defenses.
The compromised installer versions ranged from 12.5.0.2421 to 12.5.0.2434, with malicious activity traced back to April 8, 2026. Only the Windows edition of the software was affected, while the Mac version remained untouched. Following disclosure of the incident, developer AVB Disc Soft released version 12.6.0.2445, which removes the malicious functionality and addresses the breach.
Table of Contents
Malicious Components Hidden Inside Legitimate Processes
Investigators discovered that attackers modified three critical DAEMON Tools components:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
Whenever any of these binaries launched, typically during system startup, they activated a hidden implant on the infected machine. The implant communicated with an external domain, env-check.daemontools.cc, registered on March 27, 2026, to retrieve shell commands executed through the Windows cmd.exe process.
The downloaded commands triggered additional malware deployment, enabling attackers to expand control over compromised systems while remaining concealed within trusted software behavior.
Multi-Stage Malware Deployment Raises Alarm
The attack chain involved several secondary payloads designed for reconnaissance, persistence, and remote control. Among the deployed files were:
envchk.exe — a .NET-based reconnaissance tool capable of collecting detailed system information.
cdg.exe and cdg.tmp — components used to decrypt and launch a lightweight backdoor capable of downloading files, executing shell commands, and running shellcode directly in memory.
Security analysts also identified the delivery of a remote access trojan known as QUIC RAT. The malware supports numerous Command-and-Control (C2) communication methods, including HTTP, TCP, UDP, DNS, WSS, QUIC, and HTTP/3. In addition, it can inject malicious payloads into legitimate Windows processes such as notepad.exe and conhost.exe, making detection significantly more difficult.
Thousands Exposed, But Only Select Victims Targeted
Researchers observed several thousand infection attempts linked to the compromised installers across more than 100 countries, including Russia, Brazil, Turkey, Germany, France, Italy, Spain, and China. Despite the broad infection footprint, only a limited number of systems received the advanced backdoor payload, indicating a highly selective targeting strategy.
The follow-on malware was detected within organizations operating in retail, scientific research, government, manufacturing, and educational sectors across Russia, Belarus, and Thailand. One confirmed QUIC RAT infection specifically targeted an educational institution in Russia.
This selective deployment strongly suggests that the campaign was designed for precision targeting rather than indiscriminate mass infection. However, researchers have not yet determined whether the attackers intended to conduct cyberespionage operations or financially motivated 'big game hunting' attacks.
Evidence Points Toward a Sophisticated Chinese-Speaking Threat Actor
Although no known threat group has officially been linked to the operation, forensic analysis of the malware artifacts suggests involvement from a Chinese-speaking adversary. The complexity of the intrusion, combined with the ability to compromise signed software distributed through an official vendor channel, demonstrates advanced offensive capabilities and long-term operational planning.
The DAEMON Tools compromise joins a growing wave of software supply chain attacks observed throughout the first half of 2026. Similar incidents previously impacted eScan in January, Notepad++ in February, and CPUID in April.
Why Supply Chain Attacks Are So Dangerous
Supply chain compromises remain especially dangerous because they exploit the inherent trust users place in legitimate software vendors. Applications downloaded directly from official websites and signed with valid digital certificates are rarely treated as suspicious by users or security products.
In this case, the malicious activity reportedly remained undetected for nearly a month, highlighting both the sophistication of the attackers and the limitations of traditional perimeter-based security defenses. Security professionals emphasize that organizations using affected DAEMON Tools versions should immediately isolate impacted systems and conduct comprehensive threat-hunting operations to identify possible lateral movement or additional malicious activity within corporate networks.
Vendor Response and Recommended Mitigation Steps
AVB Disc Soft stated that the breach appears limited to the Lite edition of the software and confirmed that an ongoing investigation is underway to determine the full scope and root cause of the incident.
Users who downloaded or installed DAEMON Tools Lite version 12.5.1 during the affected timeframe are strongly advised to remove the software immediately, perform a complete antivirus and endpoint security scan using trusted security tools, and reinstall only the latest clean release obtained directly from the official DAEMON Tools website.
