DAEMON Tools Supply Chain Attack Distributes Backdoors via Trojanized Installers
In May 2026, Kaspersky researchers uncovered a sophisticated supply chain attack targeting users of DAEMON Tools, a widely used disk image mounting software. The compromised installers versions 12.5.0.2421 through 12.5.0.2434 were distributed directly from the official website beginning April 8, 2026, and remained available for nearly a month.
The attackers embedded malicious payloads in three core binaries within the installation directory (DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe). Upon execution at system startup, the malware triggered a backdoor that communicated with a typosquatted command-and-control (C2) domain env-check.daemontools[.]cc registered on March 27, 2026, just days before the attack commenced.
The campaign affected thousands of systems across over 100 countries, with the majority of victims located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. While 90% of infections targeted individual users, a smaller subset of retail, scientific, government, and manufacturing organizations primarily in Russia, Belarus, and Thailand received advanced payloads, suggesting a targeted espionage or "big game hunting" motive.
The attack employed a three-stage payload chain:
- Information Collector (envchk.exe) – A .NET-based tool that harvested system details (MAC address, hostname, installed software, processes) and exfiltrated data to 38.180.107[.]76. The presence of Chinese-language strings in its code pointed to a likely Chinese-speaking threat actor.
- Minimalistic Backdoor (cdg.exe) – An RC4-encrypted shellcode loader deployed to roughly a dozen high-value machines, enabling file downloads, command execution, and in-memory shellcode deployment.
- QUIC RAT – A sophisticated C++ implant, observed in a single attack against a Russian educational institution, featuring multi-protocol C2 communication (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3) and process injection capabilities.
The trojanized installers were signed with legitimate digital certificates from AVB Disc Soft, the software’s developer, allowing them to bypass security tools. Key indicators of compromise (IOCs) include the malicious C2 domain, the IP address 38.180.107[.]76, and specific file hashes for the infected installers and payloads. Suspicious file paths, such as C:\Windows\Temp\envchk.exe and %AppData%\Microsoft\mcrypto.dat, were also identified.
Source: https://cyberpress.org/daemon-tools-breach-used/
DAEMON Tools TPRM report: https://www.rankiteo.com/company/disc-soft-ltd-
"id": "dis1777998353",
"linkid": "disc-soft-ltd-",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Thousands',
'industry': ['Retail',
'Scientific',
'Government',
'Manufacturing'],
'location': ['Russia',
'Brazil',
'Turkey',
'Spain',
'Germany',
'France',
'Italy',
'China',
'Belarus',
'Thailand'],
'name': 'DAEMON Tools Users',
'type': 'Individuals and Organizations'}],
'attack_vector': 'Trojanized Installers',
'data_breach': {'data_encryption': 'RC4 (for shellcode)',
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (for targeted organizations)',
'type_of_data_compromised': ['System details',
'Personally Identifiable '
'Information']},
'date_detected': '2026-05',
'description': 'In May 2026, Kaspersky researchers uncovered a sophisticated '
'supply chain attack targeting users of DAEMON Tools, a widely '
'used disk image mounting software. The compromised installers '
'versions 12.5.0.2421 through 12.5.0.2434 were distributed '
'directly from the official website beginning April 8, 2026, '
'and remained available for nearly a month. The attackers '
'embedded malicious payloads in three core binaries within the '
'installation directory (DTHelper.exe, '
'DiscSoftBusServiceLite.exe, and DTShellHlp.exe). The malware '
'triggered a backdoor communicating with a typosquatted '
'command-and-control (C2) domain.',
'impact': {'brand_reputation_impact': 'Likely significant due to distribution '
'from official website',
'data_compromised': 'System details (MAC address, hostname, '
'installed software, processes), potentially '
'sensitive data from high-value targets',
'identity_theft_risk': 'High (personally identifiable information '
'potentially exposed)',
'systems_affected': 'Thousands of systems across over 100 '
'countries'},
'initial_access_broker': {'backdoors_established': True,
'entry_point': 'Trojanized installers from official '
'website',
'high_value_targets': ['Russian educational '
'institution',
'Organizations in Russia, '
'Belarus, Thailand']},
'investigation_status': 'Ongoing',
'motivation': ['Espionage', 'Big Game Hunting'],
'post_incident_analysis': {'root_causes': 'Compromised supply chain, '
'legitimate digital certificates '
'used to sign malicious installers'},
'ransomware': {'data_exfiltration': True},
'references': [{'source': 'Kaspersky Research'}],
'response': {'third_party_assistance': 'Kaspersky researchers'},
'threat_actor': 'Likely Chinese-speaking threat actor',
'title': 'DAEMON Tools Supply Chain Attack Distributes Backdoors via '
'Trojanized Installers',
'type': 'Supply Chain Attack'}