DAEMON Tools Installers Compromised in Sophisticated Supply Chain Attack
In a recent and alarming development, the widely-used disk imaging software, DAEMON Tools, has been the target of a sophisticated supply chain attack. Cybersecurity experts at Kaspersky have uncovered that official installers of DAEMON Tools have been compromised to distribute malicious payloads, posing significant risks to users worldwide.
The Nature of the Compromise
The compromised installers, available directly from DAEMON Tools’ legitimate website, are digitally signed with certificates belonging to the software’s developers. This breach has been active since April 8, 2026, affecting versions 12.5.0.2421 through 12.5.0.2434. Notably, while DAEMON Tools offers versions for both Windows and Mac, only the Windows installers have been affected. The attack remains active, and AVB Disc Soft, the developer behind DAEMON Tools, has been notified of the breach.
Technical Details of the Attack
Three specific components within the DAEMON Tools software have been tampered with:
– DTHelper.exe
– DiscSoftBusServiceLite.exe
– DTShellHlp.exe
When any of these binaries are executed, typically during system startup, a malicious implant is activated. This implant sends an HTTP GET request to an external server (env-check.daemontools[.]cc), a domain registered on March 27, 2026. The server responds with a shell command executed via the cmd.exe process, initiating a sequence of malicious activities.
The attack chain involves downloading and executing several payloads:
– envchk.exe: A .NET executable that gathers extensive system information.
– cdg.exe and cdg.tmp: The former acts as a shellcode loader, decrypting the latter to launch a minimalist backdoor. This backdoor connects to a remote server to download files, execute shell commands, and run shellcode payloads in memory.
Global Impact and Targeted Approach
Kaspersky’s telemetry has detected several thousand infection attempts involving DAEMON Tools, affecting users in over 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the deployment of the next-stage backdoor has been limited to a select group of hosts, indicating a targeted strategy.
The systems that received the advanced malware are associated with retail, scientific, governmental, and manufacturing sectors in Russia, Belarus, and Thailand. One notable payload delivered through the backdoor is a remote access trojan named QUIC RAT, a C++ implant observed in an attack on an educational institution in Russia.
Kaspersky researchers noted, This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner. However, their intent—whether it is cyberespionage or ‘big game hunting’—is currently unclear.
Advanced Malware Capabilities
The malware exhibits a range of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It also possesses the capability to inject payloads into legitimate processes like notepad.exe and conhost.exe, enhancing its stealth and persistence.
Attribution and Broader Context
While no known threat actor has been definitively linked to this attack, evidence suggests the involvement of a Chinese-speaking adversary, based on artifact analysis.
This incident adds to a series of software supply chain attacks in the first half of 2026, following breaches involving eScan in January, Notepad++ in February, and CPUID in April.
Kaspersky’s senior security researcher, Georgy Kucherin, emphasized the severity of such compromises: A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor. Because of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities.
Recommendations for Users and Organizations
Given the complexity and stealth of this attack, it is crucial for organizations and individual users to take immediate action:
– Isolate Affected Systems: Machines with DAEMON Tools installed should be isolated to prevent further spread of malicious activities within corporate networks.
– Conduct Security Audits: Perform thorough security sweeps to detect and remove any malicious implants or backdoors.
– Update Software: Ensure that all software, especially DAEMON Tools, is updated to the latest versions once patches are available.
– Monitor Network Traffic: Keep an eye on unusual network activities, particularly communications with unknown external servers.
Developer’s Response
AVB Disc Soft, the Latvian developer of DAEMON Tools, has acknowledged the report and is actively investigating the situation. A company representative stated, Our team is treating this matter with the highest priority and is actively working to assess and address the issue. At this stage, we are not in a position to confirm specific details referenced in the report. However, we are taking all necessary steps to remediate any potential risks and to ensure the security of our users. We will provide an update as soon as we have more verified information to share.
Conclusion
The DAEMON Tools supply chain attack underscores the growing sophistication of cyber threats targeting trusted software vendors. Users and organizations must remain vigilant, ensuring that even trusted sources are regularly verified for integrity. Implementing robust security measures and staying informed about emerging threats are essential steps in safeguarding
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
