{"id":819,"date":"2026-05-05T18:23:08","date_gmt":"2026-05-05T18:23:08","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=819"},"modified":"2026-05-05T18:23:08","modified_gmt":"2026-05-05T18:23:08","slug":"daemon-tools-supply-chain-attack-compromises-official-installers-with-malware","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=819","title":{"rendered":"DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware"},"content":{"rendered":"<div>\n<p><span class=\"p-author\"><i class=\"icon-font icon-user\">\ue804<\/i><span class=\"author\">Ravie Lakshmanan<\/span><i class=\"icon-font icon-calendar\">\ue802<\/i><span class=\"author\">May 05, 2026<\/span><\/span><span class=\"p-tags\">Endpoint Security \/ Software Security<\/span><\/p>\n<\/div>\n<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEghQDcWhFHnIEeEngbqyPFjkweCMgT7FoZRRZV0WYRuHg1cHip2O0lw2ahMc7jhJnzOCqqrLhzpM9w-O3eLpVdiCvI4C3-RD6XwqTkDxWdhzkS-W2BsbLy_SFwnjykdvvhuhjGnwPkFpOSJiapeWULhqx9er8hDH0sCCtoK51OrH4nSYqc_oAZwILcOi1A2\/s1700-e365\/daemon.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky.<\/p>\n<p>\u00abThese installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,\u00bb Kaspersky researchers\u00a0 Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin <a href=\"https:\/\/securelist.com\/tr\/daemon-tools-backdoor\/119654\/\">said<\/a>.<\/p>\n<p>The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach.<\/p>\n<p>Specifically, three different components of DAEMON Tools have been tampered with &#8211;<\/p>\n<ul>\n<li>DTHelper.exe<\/li>\n<li>DiscSoftBusServiceLite.exe<\/li>\n<li>DTShellHlp.exe<\/li>\n<\/ul>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/threatlabz-vpn-risk-2026-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhnNON5UeWywT7OcPNw7V4L7QNWnCnm7Xl_99Y9ek8dL-gRwx-bWxQM1TKqt8deqqrdpUyKMuuijAWyyPQVB0s0qf8ntQ6ldFAJLru-QUWhddKTopc7SeNbBBnd-TsfFyRPP-AAyDuclLlL6XHK4_LXqDC_7eyaz9pzToYr7U543MhrJ7qcK-89sVWHTQUZ\/s728-e100\/zz-2-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Any time one of these binaries is launched, which typically happens during system startup, an implant is activated on the compromised host. It&#8217;s designed to send an HTTP GET request to an external server (\u00abenv-check.daemontools[.]cc\u00bb) \u2013 a domain registered on March 27, 2026 \u2013 in order to receive a shell command that&#8217;s run using the \u00abcmd.exe\u00bb process.<\/p>\n<p>The shell command, for its part, is used to download and run a series of executable payloads. These include &#8211;<\/p>\n<ul>\n<li>envchk.exe, a .NET executable to collect extensive system information.<\/li>\n<li>cdg.exe and cdg.tmp, the former of which is a shellcode loader responsible for decrypting the contents of the second file and launching a minimalist backdoor that contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory.<\/li>\n<\/ul>\n<p>The Russian cybersecurity company said it observed several thousand infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor has been delivered only to a dozen hosts, indicating a targeted approach.<\/p>\n<p>The systems that received the follow-on malware have been flagged as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. What&#8217;s more, one of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT. The use of the C++ implant has been recorded against a lone victim: an educational institution located in Russia.<\/p>\n<p>\u00abThis manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner,\u00bb Kaspersky said. \u00abHowever, their intent \u2013 whether it is cyberespionage or \u2018big game hunting\u2019 \u2013 is currently unclear.\u00bb<\/p>\n<p>The malware supports a variety of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP\/3, and comes equipped with capabilities to inject payloads into legitimate \u00abnotepad.exe\u00bb and \u00abconhost.exe\u00bb processes.<\/p>\n<p>The activity has not been attributed to any known threat actor or group. But evidence points to it being the work of a Chinese-speaking adversary based on an analysis of the artifacts observed.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/ai-cant-stop-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPEV6-530TOlxG6PjrmdlY623wpBwduZ7t1HV6flcmO5R4q4AmfixDUzW0CrhlvMVNWbhvOIso-UDNTka4W_W9Chrdj_dglwBZwi7DuePM2IMIl-hfUYVIqBXgfpr_2619K8Gptb4LzwJ6gUbi7lWl2M8AFQJsHEaw63Q7tZ6708YGruiHrr0Y2W9YYxLQ\/s728-e100\/ThreatLocker-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The DAEMON Tools compromise is the latest in a growing list of software supply chain incidents in the first half of 2026, and follows similar high-profile breaches involving eScan in January, Notepad++ in February, and CPUID in April.<\/p>\n<p>\u00abA compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,\u00bb Kucherin, senior security researcher at Kaspersky GReAT, said in a statement shared with The Hacker News.<\/p>\n<p>\u00abBecause of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities. Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>\ue804Ravie Lakshmanan\ue802May 05, 2026Endpoint Security \/ Software Security A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings&hellip;<\/p>\n","protected":false},"author":1,"featured_media":820,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[220,219,173,1534,696,42,158,218,261],"class_list":["post-819","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-attack","tag-chain","tag-compromises","tag-daemon","tag-installers","tag-malware","tag-official","tag-supply","tag-tools"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=819"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/819\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/820"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}