DAEMON Tools supply chain attack delivered malware through signed official installers

DAEMON Tools users are being urged to check their systems after Kaspersky uncovered a supply chain attack that used official Windows installers to deliver malware.

The compromised installers were distributed from the legitimate DAEMON Tools website and were signed with valid certificates belonging to AVB Disc Soft, the software’s developer.

Kaspersky says the malicious versions circulated from April 8, 2026. The affected DAEMON Tools Lite builds ranged from 12.5.0.2421 to 12.5.0.2434.

What happened

The attack targeted DAEMON Tools, a widely used Windows utility for mounting disk image files as virtual drives. Because users downloaded the installer from the official site, the attack looked trustworthy at first glance.

The attackers modified three DAEMON Tools components inside the installation directory. These files were DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.

When one of those files ran during startup, hidden backdoor code activated and contacted a command-and-control server. The server could then send commands to download and run additional malware.

Attack detail	What researchers found
Compromised software	DAEMON Tools Lite for Windows
Affected versions	12.5.0.2421 through 12.5.0.2434
First known malicious version	April 8, 2026
Compromised files	DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe
Developer certificate	Valid AVB Disc Soft signatures appeared on trojanized files
Fixed release	DAEMON Tools 12.6.0.2445

The attack used trusted signatures to avoid suspicion

Digital signatures normally help users and security tools confirm that software came from a trusted developer. In this case, the attackers abused that trust because the modified files still carried valid AVB Disc Soft signatures.

This made the campaign more dangerous than a normal fake-download attack. A user could visit the right website, download a real installer, and still end up with a compromised build.

Kaspersky said the vendor later acknowledged the issue and released DAEMON Tools 12.6.0.2445. That updated version no longer showed the malicious behavior described in the research.

How the infection chain worked

The backdoor was placed in the C Runtime initialization code of the trojanized DAEMON Tools files. That meant the malicious thread could start when the legitimate program component launched.

The infected component sent HTTP requests to a typosquatted domain designed to resemble DAEMON Tools infrastructure. The command server could respond with PowerShell instructions that downloaded the next payload.

The first main payload acted as an information collector. It gathered system details such as the MAC address, hostname, DNS domain name, installed software, running processes, and language settings.

• The user installed a compromised DAEMON Tools Lite build.
• One of the trojanized DAEMON Tools components launched at startup.
• The hidden backdoor contacted the command server.
• The server sent PowerShell commands to download malware.
• An information collector profiled the infected machine.
• Selected systems later received stronger backdoors.

Most victims were profiled, but only some received deeper payloads

Kaspersky observed thousands of attempted payload deployments across more than 100 countries and territories. The largest victim concentrations were in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

About 10% of affected systems belonged to businesses and organizations. Most infected machines only received the information collector.

The next-stage backdoor was deployed to around a dozen systems linked to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand. That selective follow-up suggests the attackers reviewed collected data before choosing high-value targets.

Victimology detail	Reported finding
Overall reach	More than 100 countries and territories
Business systems	About 10% of affected systems
Most common first payload	Information collector
Deeper compromise	About a dozen selected machines
High-value sectors	Government, scientific, manufacturing, and retail organizations

QUIC RAT appeared on one high-value network

Some selected targets received a minimal backdoor delivered through a shellcode loader. That backdoor could download files, run shell commands, and execute shellcode directly in memory.

Kaspersky also found an advanced implant called QUIC RAT. It appeared only on the network of a Russian educational institution, which points to a highly selective deployment.

QUIC RAT is a C++ backdoor that supports several communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. Researchers also found that it could inject payloads into notepad.exe and conhost.exe.

Signs point to a skilled operator

Kaspersky found artifacts suggesting a Chinese-speaking threat actor, but the company did not attribute the attack to a known group.

The campaign also showed signs of hands-on activity. Some deployment commands contained mistakes such as “chiper” instead of “cipher” and a missing letter in “crypto.dll,” which may indicate manual execution.

The attack remained hidden for roughly a month before public disclosure. Kaspersky compared that detection window with the 3CX supply chain attack from 2023.

What users should do now

Anyone who installed DAEMON Tools Lite builds 12.5.0.2421 through 12.5.0.2434 should treat the system as potentially exposed.

Users should update to DAEMON Tools 12.6.0.2445 or later, run a full security scan, and check for unusual activity since April 8, 2026.

Organizations should go further. They should isolate affected systems where possible, review endpoint telemetry, check network logs, and look for payload downloads from the reported command-and-control infrastructure.

• Check whether DAEMON Tools Lite 12.5.0.2421 to 12.5.0.2434 was installed.
• Update to DAEMON Tools 12.6.0.2445 or a newer clean release.
• Review endpoint activity from April 8, 2026 onward.
• Look for PowerShell downloads from suspicious servers.
• Block traffic to the reported typosquatted command domain.
• Search for the reported payload paths under C:\Windows\Temp.
• Investigate code injection into notepad.exe and conhost.exe.

Indicators defenders should review

Security teams should use Kaspersky’s full IOC list for detection and response. The most important indicators include the typosquatted command domain, the hardcoded payload server, and the information collector hash.

The command-and-control domain reported by Kaspersky was env-check.daemontools[.]cc. The hardcoded IP address used for payload delivery was 38.180.107[.]76.

Teams should also check for temporary payload paths such as C:\Windows\Temp\envchk.exe, C:\Windows\Temp\cdg.exe, C:\Windows\Temp\imp.tmp, and C:\Windows\Temp\piyu.exe.

Indicator type	Reported indicator
C2 domain	env-check.daemontools[.]cc
Payload server	38.180.107[.]76
Information collector SHA1	2d4eb55b01f59c62c6de9aacba9b47267d398fe4
Minimal backdoor SHA1	9dbfc23ebf36b3c0b56d2f93116abb32656c42e4
Minimal backdoor SHA1	295ce86226b933e7262c2ce4b36bdd6c389aaaef

Why this supply chain attack matters

This incident shows why trusted software channels remain attractive to advanced attackers. A compromised official installer can bypass user suspicion because the download source looks legitimate.

The attack also shows that digital signatures alone do not guarantee safety when the vendor’s build or distribution process has been compromised.

For businesses, the lesson is clear. Software inventory, endpoint monitoring, network detection, and least-trust deployment policies matter even for tools downloaded from official websites.

FAQ