DAEMON Tools Breach Used to Spread Malware in Supply Chain Attack

The widely used disk image mounting software with trojanized installers has been distributed directly from the official website since April 8, 2026.

Attack Overview

In early May 2026, Kaspersky researchers identified that DAEMON Tools installers versions 12.5.0.2421 through 12.5.0.2434 had been compromised with malicious payloads.

The infected installers are signed with legitimate digital certificates from AVB Disc Soft, the software’s developer, making them appear trustworthy to security tools.

The attack has already triggered thousands of infection attempts across more than 100 countries, though further-stage payloads were deployed to only a dozen targeted machines belonging to retail, scientific, government, and manufacturing organizations.

Attackers compromised three core DAEMON Tools binaries inside the installation directory (C:Program FilesDAEMON Tools Lite):

• DTHelper.exe
• DiscSoftBusServiceLite.exe
• DTShellHlp.exe

When any of these files launch at system startup, a backdoor embedded in the CRT initialization code activates and sends GET requests to the C2 domain https://env-check.daemontools[.]cc a typosquatted lookalike of the legitimate daemon-tools[.]cc domain, registered on March 27, 2026, just days before the attack began.

Researchers at SecureList discovered attackers using PowerShell commands to secretly download and execute malicious payloads from remote servers.

The attack deploys a three-stage payload chain:

• Information Collector (envchk.exe) — A .NET executable (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4) deployed to most infected machines. It harvests MAC address, hostname, DNS domain, running processes, installed software, and system locale, then exfiltrates data to http://38.180.107[.]76. Its code contains Chinese-language strings, suggesting a Chinese-speaking threat actor.
• Minimalistic Backdoor (cdg.exe) — An RC4-encrypted shellcode loader deployed to roughly a dozen profiled machines. It supports file downloads, shell command execution, and in-memory shellcode execution, sending POST heartbeats to http://38.180.107[.]76/79437f5edda13f9c066/version/check.
• QUIC RAT — A sophisticated C++ implant obfuscated with control flow flattening, observed against a single educational institution in Russia. It supports multiple C2 protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, and can inject payloads into notepad.exe and conhost.exe.

The majority of victims are located in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

While 90% of infected systems are individual users, the targeted backdoor deployments focus exclusively on organizations in Russia, Belarus, and Thailand, indicating a deliberate espionage or “big game hunting” intent.

Indicators of Compromise (IOCs)

Malicious C2 Infrastructure:

• env-check.daemontools[.]cc
• 38.180.107[.]76

Key File Hashes (SHA1):

File	SHA1
DAEMON Tools Installer 12.5.0.2421	9ccd769624de98eeeb12714ff1707ec4f5bf196d
DAEMON Tools Installer 12.5.0.2434	15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29
envchk.exe (Info Collector)	2d4eb55b01f59c62c6de9aacba9b47267d398fe4
cdg.exe payload	9dbfc23ebf36b3c0b56d2f93116abb32656c42e4

Suspicious File Paths:

• C:WindowsTempenvchk.exe
• C:WindowsTempcdg.exe
• C:WindowsTempimp.tmp
• %AppData%Microsoftmcrypto.dat

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post DAEMON Tools Breach Used to Spread Malware in Supply Chain Attack appeared first on Cyber Security News.