Kaspersky Lab findings reveal a new supply chain attack targeting the DAEMON Tools software, whose installer was compromised and delivered a malicious payload.
“These installers are distributed from the official DAEMON Tools website and are signed with digital certificates owned by the DAEMON Tools developers,” said Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin.
The installer has been trojanized since April 8, 2026, with versions 12.5.0.2421 through 12.5.0.2434 confirmed to have been compromised as part of the incident. Supply chain attacks are becoming more active as of this writing. The software developer, AVB Disc Soft, has been notified of this breach.
Specifically, three different components of DAEMON Tools have been compromised.
DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe
Whenever one of these binaries is launched, which typically occurs during system startup, the implant is activated on the compromised host. It is designed to send HTTP GET requests to external servers (‘env-check.daemontools’).[.]cc”) – Domain registered on March 27, 2026 to receive shell commands executed using the “cmd.exe” process.
Shell commands are used to download and execute a set of executable payloads. These include –
envchk.exe, a .NET executable file for collecting extensive system information. cdg.exe and cdg.tmp. The former is a shellcode loader that decrypts the contents of the second file, connects to a remote server, downloads the file, executes shell commands, and launches a minimal backdoor that executes the shellcode payload in memory.
A Russian cybersecurity company announced that it observed thousands of infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next stage backdoor was only distributed to a dozen hosts, indicating a targeted approach.
Systems receiving subsequent malware are reported to belong to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. Additionally, one of the payloads delivered via the backdoor is a remote access Trojan called QUIC RAT. The use of C++ implants has been documented for the only victim, an educational institution located in Russia.
“Deploying a backdoor to some of the infected machines in this way clearly indicates that the attackers intended to carry out the infection in a targeted manner,” Kaspersky said. “However, their intentions are unclear at this point, whether it’s cyber espionage or ‘big game hunting’.”
The malware supports various command and control (C2) protocols such as HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, and has the ability to inject payloads into legitimate ‘notepad.exe’ and ‘conhost.exe’ processes.
This activity is not attributed to any known attacker or group. However, evidence based on analysis of the observed artifacts indicates that it was the work of a Chinese-speaking enemy.
The DAEMON Tools breach is the latest in a growing list of software supply chain incidents in the first half of 2026, and follows similar high-profile breaches involving eScan in January, Notepad++ in February, and CPUID in April.
“Breaches of this nature bypass traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from official vendors,” Kucherin, a senior security researcher at Kaspersky GReAT, said in a statement shared with The Hacker News.
“As such, the DAEMON Tools attack went unnoticed for approximately one month. This period indicates that the attackers behind this attack are sophisticated and have advanced attack capabilities. Therefore, given the complexity of the breach, it is of utmost importance for organizations to isolate machines with Daemon Tools software installed and conduct security sweeps to prevent further spread of malicious activity within corporate networks.”
Source link
