Kaspersky has uncovered a supply chain attack that has infiltrated the official installers of DAEMON Tools, turning them into vehicles for delivering malicious code.
“These installers are being distributed through DAEMON Tools’ official website and carry valid digital signatures from the software’s developers,” explained Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin.
The tampering began on April 8, 2026, affecting versions 12.5.0.2421 through 12.5.0.2434. Although DAEMON Tools is available for both Windows and Mac, Kaspersky confirmed to The Hacker News that only the Windows variant was targeted. The attack remains ongoing at the time of this report. AVB Disc Soft, the company behind the software, has been alerted to the breach.
Three specific DAEMON Tools components were modified —
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
Whenever any of these files is executed — which normally occurs during system boot — an implant is triggered on the affected machine. The implant sends an HTTP GET request to a remote server (“env-check.daemontools[.]cc”), a domain that was registered on March 27, 2026, to fetch a shell command that is then executed via “cmd.exe”.
That shell command, in turn, is used to retrieve and run a chain of malicious executables, including —
- envchk.exe, a .NET-based tool that gathers detailed system information.
- cdg.exe and cdg.tmp, where the first acts as a shellcode loader that decrypts the second file and deploys a lightweight backdoor. This backdoor connects to a remote server to download files, execute shell commands, and run shellcode payloads directly in memory.
Kaspersky’s telemetry data revealed thousands of infection attempts tied to DAEMON Tools across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the secondary backdoor was deployed to only about a dozen machines, suggesting a highly selective targeting strategy.
The machines that received the follow-up malware were linked to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. Additionally, one of the payloads delivered through the backdoor was identified as QUIC RAT, a remote access trojan. This C++-based implant was used against a single target: an educational institution in Russia.
“Delivering the backdoor to only a small fraction of infected systems strongly suggests the attacker was pursuing a focused, targeted operation,” Kaspersky noted. “At this point, their ultimate goal — whether cyberespionage or ‘big game hunting’ — remains unknown.”
The malware supports multiple command-and-control (C2) communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It also has the ability to inject malicious payloads into trusted system processes such as “notepad.exe” and “conhost.exe”.
The campaign has not yet been linked to any known threat actor or group. However, analysis of the recovered artifacts suggests the involvement of a Chinese-speaking adversary.
The DAEMON Tools breach adds to a rising wave of software supply chain attacks in the first half of 2026, following similar high-profile incidents involving eScan in January, Notepad++ in February, and CPUID in April.
“An attack of this kind sidesteps conventional perimeter security measures because users inherently trust software that is digitally signed and downloaded directly from an official source,” said Kucherin, senior security researcher at Kaspersky GReAT, in a statement provided to The Hacker News.
“As a result, the DAEMON Tools attack went undetected for roughly a month. This window of exposure underscores the sophistication and advanced offensive capabilities of the threat actor behind it. Given the complexity of this compromise, it is critical for organizations to isolate any machines running DAEMON Tools and perform thorough security scans to prevent the malware from spreading further within corporate networks.”
When reached for comment, a spokesperson for the Latvian-based developer stated they are “aware of the report and are actively investigating the matter.”
“Our team is handling this with the utmost urgency and is working diligently to evaluate and resolve the issue,” the spokesperson continued. “We are not yet in a position to verify the specific details mentioned in the report. Nevertheless, we are taking every necessary measure to address any potential risks and safeguard our users. We will share an update as soon as we have confirmed information to provide.”
(This article was updated after initial publication to incorporate responses from both Kaspersky and AVB Disc Soft.)
