DAEMON Tools Supply Chain Attack Delivers Targeted Backdoor to Government and Manufacturing Sectors

DAEMON Tools installers distributed from the software's official website have been serving malware since April 8, 2026, compromising versions 12.5.0.2421 through 12.5.0.2434. Kaspersky researchers discovered the supply chain attack on May 5, revealing that attackers had trojanized three core components of the Windows version while maintaining valid digital signatures from the legitimate developer.

The compromise affects only DAEMON Tools Lite for Windows. The attack remained active at the time of discovery, with AVB Disc Soft, the Latvian developer, releasing a clean version 12.6.0.2445 within 12 hours of notification. The breach represents the fourth major software supply chain incident in 2026, following eScan in January, Notepad++ in February, and CPUID in April.

Attack Vector and Technical Implementation

Three DAEMON Tools components were modified to execute malicious code: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These binaries activate during system startup, establishing persistence on compromised hosts. The malware initiates contact with a command-and-control server at env-check.daemontools[.]cc, a domain registered on March 27, 2026, twelve days before the attack began.

The initial implant sends HTTP GET requests to receive shell commands executed through cmd.exe. This first-stage payload downloads and runs three additional components. The envchk.exe binary, a .NET executable, performs extensive system reconnaissance. A shellcode loader (cdg.exe) decrypts and launches a backdoor from cdg.tmp, enabling file downloads, shell command execution, and in-memory shellcode payload deployment.

Selective Targeting Indicates Advanced Threat Actor

While Kaspersky telemetry recorded several thousand infection attempts across more than 100 countries—including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China—only twelve organizations received second-stage payloads. This narrow deployment demonstrates deliberate victim selection rather than opportunistic mass compromise.

The dozen targeted systems belong to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One victim, an educational institution in Russia, received QUIC RAT, a sophisticated C++ remote access trojan supporting multiple command-and-control protocols: HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. The malware injects payloads into legitimate notepad.exe and conhost.exe processes to evade detection.

Attribution and Adversary Capabilities

Kaspersky has not attributed the attack to a known threat group, but artifact analysis points to a Chinese-speaking adversary. The 27-day window between initial compromise and discovery indicates advanced operational security and the ability to maintain persistent access to development or distribution infrastructure without detection.

Immediate Response Actions Required

Organizations must immediately identify all systems with DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 installed. Kaspersky recommends isolating these machines from corporate networks until security sweeps confirm no malicious activity. Network administrators should search for connections to env-check.daemontools[.]cc and related command-and-control infrastructure.

AVB Disc Soft confirmed that DAEMON Tools Pro and Ultra versions were not affected. The company states that only the free Lite version contained compromised files. All users should immediately update to version 12.6.0.2445 or later, which removes the malicious components.

Detection and Hunting Guidance

Security teams should implement the following detection measures:

• Monitor for outbound connections to env-check.daemontools[.]cc and analyze DNS queries for similar suspicious domains registered near March 27, 2026
• Examine DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe file hashes against known clean versions
• Search for envchk.exe, cdg.exe, and cdg.tmp files in system directories, particularly in temporary folders
• Review startup processes for unexpected cmd.exe child processes spawned by DAEMON Tools components
• Analyze process injection into notepad.exe and conhost.exe, especially from unsigned or DAEMON Tools-signed binaries

Supply Chain Attack Trend Acceleration

The DAEMON Tools incident marks the fourth significant software supply chain compromise in the first five months of 2026. This acceleration demonstrates that threat actors have refined techniques for infiltrating software development and distribution pipelines. The successful deployment of digitally signed malware indicates attackers gained access to either code signing infrastructure or the build process itself.

Organizations can no longer rely solely on digital signatures as trust anchors. Defense-in-depth strategies must include behavioral analysis, network monitoring for anomalous connections from legitimate software, and rapid response capabilities to isolate potentially compromised systems. The 27-day detection gap in this incident underscores the need for continuous security monitoring beyond traditional endpoint protections.

AVB Disc Soft continues investigating the root cause and full scope of the breach. The company has not disclosed whether attackers accessed source code repositories, build servers, or distribution infrastructure. Until the complete attack vector is understood, organizations should maintain heightened scrutiny of all software updates from potentially affected vendors.