DAEMON Tools Compromised in Active Supply Chain Attack

Active Supply Chain Attack Targets DAEMON Tools Users Worldwide

In early May 2026, Kaspersky researchers uncovered a significant supply chain compromise targeting DAEMON Tools, one of the most widely used disk image mounting utilities on Windows. Malicious payloads were embedded into official installer packages distributed directly from the legitimate DAEMON Tools website — and critically, those installers were signed with valid digital certificates belonging to the software's developer, AVB Disc Soft. This attack has affected individuals and organizations across more than 100 countries, with the majority of victims concentrated in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

What Happened: A Trusted Installer Turned Weapon

According to Kaspersky's analysis, the supply chain attack began on April 8, 2026, with affected versions spanning 12.5.0.2421 through 12.5.0.2434. At the time of writing, the attack remains active. Three core binaries inside the DAEMON Tools installation were found to be trojanized:

DTHelper.exe
DiscSoftBusServiceLite.exe
DTShellHlp.exe

These files reside in the default installation directory, typically C:\Program Files\DAEMON Tools Lite. Because they are executed at machine startup and carry legitimate code-signing certificates, they bypass conventional trust checks with ease. The malicious backdoor is injected into the startup routine responsible for initializing the CRT (C Runtime) environment — a low-level hook that activates before most security tooling would flag anomalous behavior.

The Backdoor Mechanism: Typosquatting and Shell Command Execution

Once launched, each trojanized binary spawns a dedicated thread that continuously sends HTTP GET requests to a malicious command-and-control (C2) server:

https://env-check.daemontools[.]cc/2032716822411?s=<full computer name>

The C2 domain is a deliberate typosquat of the legitimate daemon-tools[.]cc download domain, designed to evade detection by defenders monitoring for suspicious network destinations. WHOIS records show the malicious domain was registered on March 27, 2026 — roughly a week before the first trojanized installer appeared. In response to these beaconing GET requests, the server can return arbitrary shell commands executed through cmd.exe. The observed command template downloads a payload executable from a secondary server at 38.180.107[.]76, runs it, then deletes it — a classic fileless-adjacent execution pattern designed to minimize forensic artifacts on disk.

Payload Stage 1: Information Collector with Chinese-Language Artifacts

The first stage payload deployed across a broad set of infected machines is an information collector (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4), a .NET executable named envchk.exe. Notably, the malware's source code contains strings written in Chinese, suggesting a Chinese-speaking threat actor is involved — though Kaspersky has not formally attributed the campaign to any known group at this stage. The collector harvests the following data from each compromised host:

MAC address (first non-zero adapter)
Hostname
DNS domain name
List of running processes
List of installed software
System locale

This data is exfiltrated via HTTP POST to the C2 server, encoded as key-value pairs. The breadth of information targeted — especially installed software and running processes — is consistent with pre-exploitation reconnaissance, helping the attacker select high-value targets for further compromise.

Payload Stage 2 and Beyond: Minimalistic Backdoor and QUIC RAT

While the information collector was deployed broadly, Kaspersky observed that only a dozen machines received further-stage payloads, including a minimalistic backdoor and a QUIC-based Remote Access Trojan (RAT). The selective deployment is a hallmark of targeted supply chain operations: cast a wide net for reconnaissance, then surgically deploy persistent access tools to pre-screened, high-value targets. The organizations that received these deeper implants spanned retail, scientific, government, and manufacturing sectors — a profile consistent with cyber-espionage rather than financially motivated cybercrime.

The use of the QUIC protocol for the RAT's communications is a sophisticated choice. QUIC traffic is encrypted by default and often permitted through enterprise firewalls, making detection and interception substantially more difficult than traditional TCP-based C2 communications.

Why This Attack Is Particularly Dangerous

Several attributes make this campaign especially difficult to defend against using conventional controls:

Legitimate code signatures: The trojanized binaries carry valid certificates from AVB Disc Soft, undermining allowlist and signature-based defenses.
Official distribution channel: Users downloading from the real DAEMON Tools website receive infected installers — no phishing or third-party site required.
Persistence via startup binaries: The backdoor activates on every boot through trusted system executables.
Typosquatted C2 infrastructure: The C2 domain closely mirrors legitimate DAEMON Tools infrastructure, complicating network-level detection.
Selective targeting: The two-stage approach limits noisy further-stage activity to targets the attacker has already vetted, reducing the overall detection surface.

Victimology: Broad Reach, Narrow Impact

Kaspersky telemetry recorded several thousand infection attempts from early April 2026 onward, spanning over 100 countries. The geographic spread of victims aligns with DAEMON Tools' global user base — the software is particularly popular in Eastern Europe, Latin America, and parts of Asia. However, the number of organizations receiving deeper payloads remains in the single digits, reinforcing the espionage-oriented, targeted nature of the campaign. This ratio — thousands infected, twelve selected — is characteristic of a disciplined, state-affiliated or state-adjacent threat actor that prioritizes operational security over scale.

Recommendations: What to Do Now

If you or your organization uses DAEMON Tools, take the following steps immediately:

Check your installed version. If you are running any DAEMON Tools version between 12.5.0.2421 and 12.5.0.2434, treat the host as potentially compromised.
Isolate affected systems from the broader network pending investigation.
Block the known malicious indicators at your firewall and proxy: the domain env-check.daemontools[.]cc and the IP 38.180.107[.]76.
Audit startup processes for unexpected activity from DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
Hunt for the information collector by searching for envchk.exe in C:\Windows\Temp\ or matching its SHA1 hash.
Monitor for QUIC traffic to unexpected destinations, particularly from processes that should not be generating network activity.
Apply Kaspersky detection rules if using Kaspersky solutions, including updated KEDR Expert rules published May 5, 2026.
Await a clean version from AVB Disc Soft before reinstalling. Kaspersky has notified the vendor to initiate remediation.

Conclusion: Software Trust Is No Longer a Given

The DAEMON Tools supply chain attack is a stark reminder that digital signatures and official download channels are not absolute guarantees of safety. When a threat actor achieves code-signing access or insertion into a vendor's build pipeline, the very mechanisms defenders rely upon become vectors for trust exploitation. Organizations should layer their defenses accordingly — combining endpoint detection, network traffic analysis, behavioral monitoring, and proactive threat hunting rather than relying on any single control. As this attack is still active at the time of writing, treat any system running the affected DAEMON Tools versions as a priority investigation until cleared.