Kaspersky Uncovers DAEMON Tools Supply Chain Attack via Compromised Signed Installers
Kaspersky researchers have identified a sophisticated supply chain attack targeting DAEMON Tools, a popular disk image emulation software, through the distribution of compromised installers signed with legitimate developer certificates. This incident, active since at least April 8, 2026, has seen trojanized versions of DAEMON Tools Lite delivered from the official vendor website, allowing threat actors to establish persistent access and deploy further malicious payloads. The compromise effectively bypassed traditional perimeter defenses, as users implicitly trusted software obtained directly from an official, digitally signed source.
Attack Vector and Initial Compromise
The attack vector involved the insertion of malicious code into legitimate DAEMON Tools Lite installers. These compromised installers, ranging from versions 12.5.0.2421 to 12.5.0.2434, were distributed via the official DAEMON Tools website. Crucially, the malicious components within these installers were signed with valid digital certificates belonging to AVB Disc Soft, the developer of DAEMON Tools. This valid signing allowed the malware to appear trustworthy, enabling it to evade detection by standard security mechanisms that rely on certificate validation.
Upon installation of the trojanized software, several core binaries within the DAEMON Tools installation directory were found to be tampered with. These include
DTHelper.exe,
DiscSoftBusServiceLite.exe, and
DTShellHlp.exe. The malware establishes persistence by configuring these modified binaries to launch automatically during system startup. When one of these binaries executes, an embedded implant is activated, initiating communication with an external command-and-control (C2) server.
The initial C2 communication involves an HTTP GET request to `env-check.daemontools[.]cc`. This domain is a typosquat of the legitimate DAEMON Tools domain, `daemon-tools[.]cc`, and was registered on March 27, 2026, approximately one week prior to the commencement of the supply chain attack. The C2 server responds with shell commands, typically executed via `cmd.exe` or PowerShell, to download and run subsequent payloads.
A primary first-stage payload observed is `envchk.exe`, a .NET executable designed for extensive system information gathering. This information includes:
- MAC address
- Hostname
- DNS domain name
- Lists of running processes
- Installed software
- System language settings
This collected telemetry is then exfiltrated to the C2 server, enabling the threat actors to profile infected machines.
Second-Stage Payloads and Targeted Operations
Following initial reconnaissance, the threat actors engaged in a highly targeted approach for deploying additional, more sophisticated payloads. While thousands of infection attempts were detected across more than 100 countries, the advanced backdoors were delivered to only a limited subset of machines.
One such second-stage payload is a minimalistic backdoor. This implant is capable of downloading additional malicious payloads, executing arbitrary shell commands, and running shellcode modules directly in memory. Kaspersky observed this backdoor deployed to approximately a dozen hosts, predominantly belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.
In at least one instance, against an educational institution in Russia, a more advanced implant dubbed QUIC RAT was deployed. This remote access trojan (RAT) exhibits advanced capabilities, including support for a wide array of command-and-control communication protocols such as HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. QUIC RAT is also capable of injecting payloads into legitimate system processes like `notepad.exe` and `conhost.exe` to further evade detection and maintain persistence.
Affected Versions and Remediation
The supply chain compromise specifically affected Windows versions of DAEMON Tools Lite. DAEMON Tools Pro and DAEMON Tools Ultra were not impacted.
| Product |
Affected Versions |
Remediation Status |
| DAEMON Tools Lite (Windows) |
12.5.0.2421 to 12.5.0.2434 |
Compromised. Users should update to 12.6.0.2445 or later. |
| DAEMON Tools Pro |
Not affected |
Safe |
| DAEMON Tools Ultra |
Not affected |
Safe |
| DAEMON Tools Lite (macOS) |
Not affected |
Safe |
AVB Disc Soft, the developer, was notified of the breach and released a clean version, DAEMON Tools Lite 12.6.0.2445, on May 5/6, 2026.
Indicators of Compromise (IOCs) and Detection
Analysis of the malicious implants revealed artifacts, including strings in Chinese, suggesting the involvement of a Chinese-speaking threat actor. However, a definitive attribution to a known threat actor group has not been made.
Organizations and individuals who installed DAEMON Tools Lite versions between April 8, 2026, and May 5, 2026, should consider their systems potentially compromised. No specific CVE number has been assigned to this supply chain compromise directly, as the attack leveraged the integrity of the distribution channel rather than a specific software vulnerability.
Key Indicators of Compromise include:
-
Malicious Domain: `env-check.daemontools[.]cc`
env-check.daemontools.cc
-
IP Address: `38.180.107[.]76`
38.180.107.76
-
Compromised Binaries:
- `DTHelper.exe`
- `DiscSoftBusServiceLite.exe`
- `DTShellHlp.exe`
-
Malware Payloads: `envchk.exe`, `cdg.exe`, `cdg.tmp`, QUIC RAT components.
-
Suspicious Process Activity: Unusual outbound HTTP connections, unexpected PowerShell execution, anomalous activity originating from `notepad.exe` or `conhost.exe` processes.
Security teams should leverage tools such as
Zondex for internet-wide search and reconnaissance to identify related infrastructure or exposed services that might be part of the attacker's network. Furthermore, comprehensive vulnerability scanning and web security testing with platforms like
Secably can help identify potential weaknesses in build and distribution pipelines that could lead to such supply chain compromises. Kaspersky has implemented detection capabilities for the malicious campaign through its Anti Targeted Attack (KATA) with the Network Detection and Response (NDR) module.