A sophisticated supply chain attack has compromised official DAEMON Tools installers since April 2026, delivering a multi-stage malware campaign that has affected users in over 100 countries. The attack highlights the growing threat of software supply chain compromises and the challenges they pose to traditional security defenses.
A newly identified supply chain attack targeting DAEMON Tools software has compromised its official installers to deliver a sophisticated malware payload, affecting users in over 100 countries. The breach represents a significant threat to organizations and individuals who implicitly trust software downloaded directly from vendor websites.
According to findings from Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin, the compromised installers have been distributed from the legitimate DAEMON Tools website and are signed with valid digital certificates belonging to the developers. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," the researchers explained.
The trojanized installers have been in circulation since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised. AVB Disc Soft, the developer of DAEMON Tools, has been notified of the breach, which remains active as of this writing.
Technical Details of the Attack
The attack specifically targets three components of DAEMON Tools:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
When any of these binaries are launched—which typically occurs during system startup—an implant activates on the compromised host. This implant sends an HTTP GET request to an external server ("env-check.daemontools[.]cc"), a domain registered on March 27, 2026, to receive shell commands executed via "cmd.exe".
These commands then download and run a series of executable payloads, including:
- envchk.exe: A .NET executable designed to collect extensive system information
- cdg.exe and cdg.tmp: A shellcode loader that decrypts the contents of cdg.tmp and launches a minimalist backdoor capable of contacting remote servers to download files, execute shell commands, and run shellcode payloads in memory
Targeted Nature of the Campaign
While Kaspersky observed several thousand infection attempts involving DAEMON Tools across more than 100 countries—including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China—the next-stage backdoor has been delivered only to approximately a dozen hosts, indicating a targeted approach.
Systems that received the follow-on malware were identified as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT, while a C++ implant has been observed targeting a Russian educational institution.
"This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner," Kaspersky stated. "However, their intent – whether it is cyberespionage or 'big game hunting' – is currently unclear."
Advanced Capabilities
The malware demonstrates sophisticated capabilities with support for multiple command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It can also inject payloads into legitimate "notepad.exe" and "conhost.exe" processes, making detection more challenging.
Although the activity has not been definitively attributed to any known threat actor, evidence points to a Chinese-speaking adversary based on an analysis of the artifacts observed.
Growing Trend of Software Supply Chain Attacks
The DAEMON Tools compromise is part of a worrying trend in software supply chain attacks during the first half of 2026. It follows similar high-profile breaches involving:
- eScan in January
- Notepad++ in February
- CPUID in April
"A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor," said Georgy Kucherin, senior security researcher at Kaspersky GReAT. "Because of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities."
Recommended Response Actions
Given the high complexity of the compromise, Kaspersky recommends several immediate actions:
- Isolate machines with DAEMON Tools installed from the network
- Conduct security sweeps to prevent further spreading of malicious activities within corporate networks
- Verify the integrity of all DAEMON Tools installations
- Monitor for suspicious network activity, particularly connections to the identified C2 domain
- Consider implementing application control policies to prevent unauthorized execution of suspicious binaries
Organizations should also review their software supply chain security practices, including:
- Implementing stricter validation of software updates
- Using code signing verification tools
- Considering sandboxing or virtualization for untrusted software
- Regularly auditing software installed on endpoints
The DAEMON Tools attack serves as a stark reminder that even trusted software vendors can be compromised, and that traditional security defenses may be insufficient against sophisticated supply chain attacks. As software supply chain attacks continue to increase in frequency and sophistication, organizations must adapt their security postures to address this evolving threat landscape.
Comments
Please log in or register to join the discussion