All Researches
All Threat Alerts
No items found.
May 5, 2026
·
0
Minutes Read

Widespread DAEMON Tools Supply Chain Attack Enables Targeted Follow-on

Advisory
May 5, 2026
·
0
Minutes Read

Widespread DAEMON Tools Supply Chain Attack Enables Targeted Follow-on

Advisory
May 5, 2026
·
0
Minutes Read
Kudelski Security Team
Find out more
table of contents
Share on
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Summary

A sophisticated supply chain attack has compromised official DAEMON Tools installers, distributing malware signed with valid digital certificates since April 8, 2026. Discovered by Kaspersky, the incident involves trojanized versions of the software that activate an implant upon execution, enabling targeted malware delivery to a highly selective subset of victims globally. The attack, still active at time of writing, leverages legitimate software distribution channels to bypass initial security controls, demonstrating a high degree of operational security by the threat actors.

Affected Systems and/or Applications

Versions affected:

  • DAEMON Tools versions 12.5.0.2421 to 12.5.0.2434.

Attack details:

  • Thousands of infection attempts have been observed across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.
  • Targeted follow-on payloads have been delivered to a small number of hosts belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.
  • A specific remote access trojan (QUIC RAT) was recorded targeting an educational institution in Russia.

Technical Details

  • Compromised Components: Three legitimate DAEMON Tools binaries were tampered with: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These files retain valid digital signatures belonging to the original developers, which helps evade signature-based detection.
  • Execution Flow: The implant activates when any of the compromised binaries launch, which typically occurs during system startup.
  • Command and Control (C2): Upon execution, the implant sends an HTTP GET request to env-check.daemontools[.]cc (registered on March 27, 2026) to receive shell commands that are subsequently executed via cmd.exe.
  • Payload Delivery:
    • envchk.exe: A .NET executable designed for extensive system information collection.
    • cdg.exe and cdg.tmp: cdg.exe acts as a shellcode loader that decrypts and executes cdg.tmp, a minimalist backdoor capable of downloading files, running shell commands, and executing shellcode in memory.
    • QUIC RAT: A C++ implant supporting multiple C2 protocols (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3) with process injection capabilities targeting notepad.exe and conhost.exe. This advanced backdoor indicates a tailored, high-value targeting strategy rather than indiscriminate mass infection.

Indicators of Compromise

Infected DAEMON Tools Lite installers

9ccd769624de98eeeb12714ff1707ec4f5bf196d (12.5.0.2421)
50d47adb6dd45215c7cb4c68bae28b129ca09645 (12.5.0.2422)
0c1d3da9c7a651ba40b40e12d48ebd32b3f31820 (12.5.0.2423)
28b72576d67ae21d9587d782942628ea46dcc870 (12.5.0.2424)
46b90bf370e60d61075d3472828fdc0b85ab0492 (12.5.0.2430)
6325179f442e5b1a716580cd70dea644ac9ecd18 (12.5.0.2431)
bd8fbb5e6842df8683163adbd6a36136164eac58 (12.5.0.2433)
15ed5c3384e12fe4314ad6edbd1dcccf5ac1ee29 (12.5.0.2434)

Modified DiscSoftBusServiceLite.exe

524d2d92909eef80c406e87a0fc37d7bb4dadc14
427f1728682ebc7ffe3300fef67d0e3cb6b62948
8e7eb0f5ac60dd3b4a9474d2544348c3bda48045
00e2df8f42d14072e4385e500d4669ec783aa517
aea55e42c4436236278e5692d3dcbcbe5fe6ce0b
0456e2f5f56ec8ed16078941248e7cbba9f1c8eb
9a09ad7b7e9ff7a465aa1150541e231189911afb
8d435918d304fc38d54b104a13f2e33e8e598c82
64462f751788f529c1eb09023b26a47792ecdc54

C:\Windows\Temp\envchk.exe

2d4eb55b01f59c62c6de9aacba9b47267d398fe4

C:\Windows\Temp\cdg.exe
C:\Windows\Temp\imp.tmp
C:\Windows\Temp\piyu.exe

9dbfc23ebf36b3c0b56d2f93116abb32656c42e4
295ce86226b933e7262c2ce4b36bdd6c389aaaef

C2

env-check.daemontools[.]cc
38.180.107[.]76

Mitigation

  • Isolate any machines with DAEMON Tools installed and check for evidence of suspicious activity starting April 8.
  • Block network traffic to the C2 domain env-check.daemontools[.]cc.
  • Monitor for the execution of compromised binaries (DTHelper.exe, DiscSoftBusServiceLite.exe, DTShellHlp.exe) and associated payloads (envchk.exe, cdg.exe, cdg.tmp).
  • Await official guidance or patched releases from AVB Disc Soft before reinstalling the software in enterprise environments.

What the Cyber Fusion Center is Doing

The Cyber Fusion Center (CFC) is monitoring the situation and will issue advisory updates as needed. A threat hunting campaign will be conducted to identify activity related to this attack.

References

Related Post
May 5, 2026
Security Advisory:
May 5, 2026
Kudelski Security Team

Apache HTTP Server CVE-2026-23918 Allows DoS, RCE

CVE-2026-23918
May 1, 2026
Security Advisory:
May 1, 2026
Kudelski Security Team

Linux CVE-2026-31431 "Copy Fail" LPE Enables Stealthy Root Access, Container Escape

CVE-2026-31431
April 30, 2026
Security Advisory:
April 30, 2026
Kudelski Security Team

Mini Shai Hulud Supply Chain Attack (Updated 30 Apr)