Executive Summary
A critical supply chain attack has compromised official DAEMON Tools Windows installers, resulting in the distribution of malware directly from the vendor’s legitimate website. The attack, first detected on April 8, 2026, involved trojanized installers signed with a valid digital certificate belonging to AVB Disc Soft, the developer of DAEMON Tools. The malicious versions, specifically 12.5.0.2421 through 12.5.0.2434, were available for download for nearly a month before discovery. The attack remains ongoing as of May 5, 2026. The malware establishes persistence on infected systems, collects extensive system information, and, in targeted cases, deploys advanced backdoors and remote access trojans (RATs) capable of further compromise. While most victims are home users, approximately 10% of infections occurred within organizations, with a small subset of high-value targets in government, scientific, manufacturing, and retail sectors receiving advanced payloads. The attack demonstrates a sophisticated threat actor leveraging trusted software supply chains to bypass traditional security controls. All technical details and claims are corroborated by Kaspersky, The Hacker News, and Techzine (Kaspersky, The Hacker News, Techzine).
Technical Information
The DAEMON Tools supply chain attack represents a sophisticated compromise of the software’s official Windows distribution channel. Attackers gained access to the build or distribution infrastructure of AVB Disc Soft, enabling them to inject malicious code into the official installers. These trojanized installers were then signed with the legitimate digital certificate of AVB Disc Soft, allowing them to bypass both user and system trust controls.
Upon installation, three core binaries - DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe - were tampered with. These binaries are configured to execute at system startup, ensuring the malware’s persistence. Each time one of these binaries is launched, the malware initiates an HTTP GET request to a command-and-control (C2) server at env-check.daemontools[.]cc, a domain registered on March 27, 2026. The C2 server may respond with shell commands, which are executed via the Windows cmd.exe process.
The initial payload, envchk.exe, is a .NET-based information gatherer. It collects the MAC address, hostname, DNS domain, running processes, installed software, and language settings from the infected system. This data is exfiltrated to the C2 server. Based on the collected information, the attackers may selectively deploy additional payloads.
In targeted cases, the C2 server delivers cdg.exe, a shellcode loader, and cdg.tmp, which contains encrypted shellcode. The loader decrypts and executes the shellcode, establishing a minimalist backdoor. This backdoor is capable of downloading further payloads, executing arbitrary shell commands, and running shellcode modules in memory.
The most advanced implant observed is QUIC RAT, a remote access trojan supporting multiple C2 protocols, including HTTP, UDP, TCP, WebSocket Secure (WSS), QUIC, DNS, and HTTP/3. QUIC RAT can inject malicious payloads into legitimate processes such as notepad.exe and conhost.exe, facilitating stealthy operation and defense evasion.
The attack leverages several MITRE ATT&CK techniques, including T1195.002 (Supply Chain Compromise), T1547.001 (Boot or Logon Autostart Execution), T1553.002 (Subvert Trust Controls: Code Signing), T1071 (Application Layer Protocol), and T1082/T1518 (System and Software Discovery). The use of a valid digital signature and distribution via the official website allowed the attack to evade traditional perimeter defenses and endpoint security solutions for nearly a month.
No destructive payloads have been observed; the focus appears to be on espionage, data collection, and establishing persistent access to high-value targets. The attack is ongoing, and the full scope of compromise is still being assessed by the vendor and security researchers.
Affected Versions & Timeline
The attack affects DAEMON Tools Windows versions 12.5.0.2421 through 12.5.0.2434. The malicious installers were distributed from the official vendor website beginning April 8, 2026. The C2 domain used in the attack, env-check.daemontools[.]cc, was registered on March 27, 2026, indicating premeditated infrastructure setup. The compromise was publicly disclosed on May 5, 2026, by Kaspersky, with confirmation from The Hacker News and Techzine. As of the latest reports, the attack remains active, and the vendor is investigating the breach.
The Mac version of DAEMON Tools is not affected, according to Kaspersky. The attack window spans from April 8, 2026, to at least May 5, 2026, with the possibility of ongoing risk until remediation is confirmed by the vendor.
Threat Activity
Telemetry from Kaspersky and corroborating sources indicates several thousand infection attempts across more than 100 countries. The majority of victims are home users, with the highest concentrations in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Approximately 10% of infections occurred within organizational environments.
The attackers employed a two-stage approach. Most infected systems received only the initial information-gathering payload. However, a small subset—just over a dozen machines—received advanced backdoors and RATs. These high-value targets were identified as belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. The selective deployment of advanced payloads suggests a targeted campaign, likely for cyberespionage or high-value data theft.
The malware’s C2 infrastructure is robust, supporting multiple communication protocols to ensure resilience and flexibility. The use of process injection into legitimate Windows processes further complicates detection and remediation efforts.
No public attribution has been made to a specific threat actor. However, technical analysis revealed Chinese-language artifacts within the malware, suggesting a Chinese-speaking adversary. There is no direct code or infrastructure overlap with known advanced persistent threat (APT) groups, and attribution confidence remains low to medium.
The DAEMON Tools incident is part of a broader surge in software supply chain attacks observed in 2026, following similar compromises involving eScan, Notepad++, and CPUID earlier in the year. The attack underscores the increasing prevalence and sophistication of supply chain threats, which now represent the most common cyber risk to organizations globally.
Mitigation & Workarounds
Immediate action is required to contain and remediate this supply chain compromise. The following recommendations are prioritized by severity:
Critical: Isolate all systems with DAEMON Tools Windows versions 12.5.0.2421 through 12.5.0.2434 installed since April 8, 2026. Disconnect affected machines from the network to prevent further C2 communication and lateral movement.
Critical: Uninstall all affected versions of DAEMON Tools from endpoints. Perform comprehensive system scans using updated security solutions to detect and remove any residual malware or backdoors.
High: Monitor network traffic for connections to env-check.daemontools[.]cc and related suspicious domains. Block these domains at the network perimeter and review firewall and proxy logs for historical connections.
High: Audit endpoint logs for execution of the tampered binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) and for abnormal process injection activity, particularly into notepad.exe and conhost.exe.
High: Conduct forensic analysis of systems that received the advanced backdoor or RAT payloads, especially within government, scientific, manufacturing, and retail environments.
Medium: Review and update supply chain risk management policies. Ensure that all software, even from trusted vendors, is subject to integrity verification and behavioral monitoring.
Medium: Educate users and administrators about the risks of supply chain attacks and the importance of verifying software authenticity, even when obtained from official sources.
Low: Monitor for updates and advisories from AVB Disc Soft regarding remediation steps and future software releases. Apply patches or updated installers as soon as they become available.
References
All claims, technical details, and the timeline in this report are corroborated by at least three independent, primary sources:
Kaspersky Official Blog (May 5, 2026): https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/
The Hacker News (May 5, 2026): https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
Techzine (May 5, 2026): https://www.techzine.eu/news/security/141034/popular-daemon-tools-utility-exploited-in-supply-chain-attack/
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor supply chain risks. Our platform enables continuous visibility into vendor security posture, supports automated risk assessments, and facilitates rapid response to emerging threats. For questions regarding this incident or to discuss supply chain risk management strategies, contact us at ops@rescana.com.
