DAEMON Tools Windows Installers Compromised in Supply Chain Attack; Malware Active Since April

TL;DR Kaspersky researchers identified a supply chain attack compromising DAEMON Tools Windows installers (versions 12.5.0.2421 to 12.5.0.2434) since April 8, 2026. The trojanized installers, signed with legitimate DAEMON Tools certificates and distributed from the official website, deploy an implant that contacts a command-and-control server to receive shell commands. Several thousand infection attempts were observed across more than 100 countries, though the attacker deployed a follow-on backdoor to only a dozen hosts, suggesting a targeted operation.

What happened

Kaspersky security researchers discovered that DAEMON Tools installers available from the legitimate vendor website have been compromised to deliver malware. The affected Windows versions range from 12.5.0.2421 to 12.5.0.2434, with trojanization beginning on April 8, 2026. The installers remain signed with digital certificates belonging to DAEMON Tools developers, making them appear legitimate to endpoint security controls and user verification mechanisms.

Three executable components within DAEMON Tools were modified:

DTHelper.exe
DiscSoftBusServiceLite.exe
DTShellHlp.exe

When any of these binaries execute—typically during system startup—an implant activates on the host. The implant sends an HTTP GET request to an external server at "env-check.daemontools[.]cc" (a domain registered on March 27, 2026) to receive shell commands executed via cmd.exe. These commands download and run executable payloads including:

envchk.exe: a .NET executable that collects extensive system information
cdg.exe and cdg.tmp: a shellcode loader that decrypts and launches a minimalist backdoor with capabilities to download files, run shell commands, and execute shellcode in memory
QUIC RAT: a remote access trojan delivered to at least one victim

The malware supports multiple command-and-control protocols: HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It includes process injection capabilities targeting notepad.exe and conhost.exe.

Kaspersky telemetry recorded several thousand infection attempts across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor was delivered to only a dozen hosts, all belonging to organizations in retail, scientific, government, and manufacturing sectors located in Russia, Belarus, and Thailand. QUIC RAT was observed deployed against a single educational institution in Russia.

The macOS version of DAEMON Tools was not affected. AVB Disc Soft, the Latvian developer, has been notified of the breach. The attack remained undetected for approximately one month before discovery.

Evidence suggests the adversary is Chinese-speaking, though the threat actor remains unattributed to any known group. Kaspersky assessed the attacker as sophisticated, given the complexity of the compromise and the extended period of undetected operation.

Why it matters

This attack demonstrates a critical vulnerability in the software distribution chain: digitally signed installers downloaded from official vendor websites bypass traditional perimeter defenses because users and security systems implicitly trust them. The narrow targeting of the follow-on backdoor—delivery to only a dozen hosts out of thousands infected—indicates a reconnaissance phase followed by selective compromise, consistent with cyberespionage or targeted intrusion tactics.

For sysadmins and defenders in the MENA region, the presence of affected organizations across retail, scientific, government, and manufacturing sectors underscores the breadth of potential exposure. The use of multiple C2 protocols and in-memory shellcode execution complicates detection and response.

The incident is part of a pattern: supply chain compromises involving eScan (January 2026), Notepad++ (February 2026), and CPUID (April 2026) indicate sustained pressure on software vendors.

Affected systems and CVEs

DAEMON Tools (Windows) versions 12.5.0.2421 to 12.5.0.2434
- Affected components: DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe

No CVE assigned at the time of publication.

What to do

Isolate machines with DAEMON Tools software installed pending verification of their version and infection status
Conduct network and endpoint security sweeps to identify lateral movement and secondary payload deployment
Update DAEMON Tools to versions released after 12.5.0.2434 once AVB Disc Soft confirms remediation
Review command-and-control traffic logs for connections to "env-check.daemontools[.]cc" or other domains contacted by the identified C2 protocols (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3)
Monitor for suspicious process injection into notepad.exe and conhost.exe

Open questions

The attacker's intent remains unclear: Kaspersky has not determined whether the operation targets cyberespionage or financial objectives ("big game hunting")
AVB Disc Soft has not released specific details on remediation timelines or whether additional versions may be affected
The exact number of organizations compromised, versus infected hosts, is not publicly disclosed
Whether the attack vector involved compromised developer infrastructure or direct access to the build/distribution pipeline is not specified in available reporting