DAEMON Tools Supply Chain Attack: Official Installers Trojanized Since April

Official Windows installers for DAEMON Tools Lite were trojanized starting April 8, 2026, to distribute multi-stage malware. The compromised files—including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe—carried valid digital certificates from AVB Disc Soft and were hosted directly on the vendor's legitimate website. For nearly a month, until the release of version 12.6.0.2445 on May 5, 2026, users unknowingly installed software that exploited their implicit trust in the publisher to bypass traditional perimeter defenses.

Anatomy of the Compromise: Three Hijacked Binaries

Kaspersky researchers discovered that the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries in the official installers contained malicious code embedded directly into the CRT initialization routine. Upon system reboot, the payload contacted the domain env-check.daemontools[.]cc, which was registered on March 27, 2026, according to WHOIS data. Kaspersky confirmed that "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers." It is not yet clear exactly how attackers gained access to the vendor's distribution infrastructure.

The Infection Chain: From Profiling to the QUIC RAT

The malware follows a sophisticated multi-stage architecture. The initial component, envchk.exe, is a .NET-based information collector that harvests MAC addresses, hostnames, DNS domain names, active processes, installed software, and system language settings. This data allows attackers to profile victims before deciding whether to proceed. In only about a dozen cases was the second stage, cdg.exe—an RC4 backdoor providing persistent remote access—actually deployed.

The most advanced tool in the arsenal, a QUIC RAT implant, was observed in a single instance targeting a Russian educational institution. This implant supports communication over HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, and is capable of injecting payloads into notepad.exe and conhost.exe. The use of modern protocols like QUIC significantly complicates detection by traditional firewalls and intrusion prevention systems.

IoCs published by Kaspersky confirm the entire chain activates without requiring user interaction beyond the initial installation of the software. Once the trojanized installer runs, the malicious code integrates into the system boot flow and establishes persistence through legitimate DAEMON Tools services, making its presence virtually indistinguishable from normal application behavior.

Surgical Precision: Targeted Payloads Amidst Mass Infection

Kaspersky’s telemetry identified thousands of installation attempts in over 100 countries and territories. Approximately 90% of those affected were private users, with the remaining 10% on corporate systems. Despite this broad reach, the advanced backdoor was delivered only to a dozen organizations across the government, research, manufacturing, and retail sectors in Russia, Belarus, and Thailand. Kaspersky noted: "This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner."

The geographic distribution of the second-stage victims and the targeted industries suggest a high-value intelligence-gathering operation, though the ultimate objective has not been definitively established. For the vast majority of victims, the infection remained at the initial profiling stage, essentially serving as noise to mask traffic toward the primary targets.

"A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor" — Georgy Kucherin, Kaspersky GReAT

The Failure of Implicit Trust: Beyond Digital Certificates

Georgy Kucherin, a researcher with Kaspersky’s Global Research and Analysis Team, highlighted the paradox at the heart of the attack. According to Kucherin, "A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor." This incident proves that a valid certificate no longer guarantees code integrity if the distribution pipeline itself is breached. Traditional defenses relying on signatures as a primary trust indicator must be augmented with behavioral monitoring and network analysis to detect post-installation anomalies.

Recommended Response and Mitigation

• Immediately isolate any systems where DAEMON Tools Lite versions 12.5.0.2421 through 12.5.0.2434 were installed between April 8 and May 5, 2026. Check network logs for suspicious outbound traffic to env-check.daemontools[.]cc.
• Update the software to version 12.6.0.2445, released on May 5, 2026. It is recommended to perform a clean uninstallation of previous versions followed by a comprehensive system scan.
• Conduct forensic analysis on notepad.exe and conhost.exe processes on potentially exposed systems, as the QUIC RAT implant is known to inject payloads into these legitimate Windows executables.
• Exercise caution regarding the vendor's statement that only the free Lite version was affected. Kaspersky has not independently verified the immunity of the Pro or Ultra editions, and the underlying compromise mechanism remains unknown.

Attribution and Threat Landscape

Linguistic artifacts found within the malware code are consistent with Chinese-speaking actors, though researchers have not yet made a definitive attribution to a specific APT group. The ultimate motive—whether cyber espionage, "big game hunting," or another objective—remains unconfirmed. Additionally, it is unclear if the command-and-control server remains active or under attacker control. Since there are no retroactive patches for the compromised versions, manual remediation is the only viable path for those who ran the trojanized installers.

This case represents a troubling evolution in the APT landscape: the ability to leverage institutional trust in software vendors to host dormant payloads at a global scale. The surgical selection of second-stage victims from millions of potential targets demonstrates that the greatest danger lies not in the volume of distribution, but in the ability to remain invisible within everyday software. Organizations must move away from the assumption that digital signatures and official sources are sufficient security guarantees, adopting a model of continuous verification based on an assumption of compromise.

Frequently Asked Questions

Are the paid versions of DAEMON Tools safe?

AVB Disc Soft stated that "The issue was limited to the free DAEMON Tools Lite version and did not affect any of our other products." However, Kaspersky has not independently verified the status of the Pro or Ultra editions, and the distribution pipeline compromise details have not been made public. Independent verification is advised.

Could the malware still be active on infected systems?

The current status of the env-check.daemontools[.]cc C2 server is unknown. Compromised systems may still harbor persistent artifacts or silent backdoors. A complete system cleanup is necessary; simple uninstallation of the software may not be sufficient to remove the threat.

Why did the attack go undetected for nearly a month?

Because the files were distributed via the official website and signed with valid digital certificates, they bypassed the standard checks that both users and automated perimeter defenses rely upon. This allowed the anomaly to remain technically invisible until Kaspersky's deep-dive analysis uncovered the routine.

Information verified against cited sources and current as of the time of publication.

Sources

• https://www.kaspersky.com/blog/daemon-tools-supply-chain-attack/55691/
• https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
• https://securelist.com/tr/daemon-tools-backdoor/119654/