[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fliKrkbEu9NhWX_wH1JCs8cUH7_Lla_sxvBbEVZVUWpM":3},{"article":4,"iocs":45},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":29,"category":30,"article_tags":34},"d251e497-7c40-4f10-908b-f37c0e6944e5","DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware","daemon-tools-supply-chain-attack-compromises-official-installers-with-malware-951945","A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. \"These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,\" Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid","A supply chain attack has compromised DAEMON Tools installers (versions 12.5.0.2421 to 12.5.0.2434) distributed from the official website with digitally signed malware since April 8, 2026. The trojanized binaries activate an implant that beacons to a malicious C2 server, downloading payloads including a .NET info stealer and a minimalist backdoor. While thousands of infection attempts were detected across 100+ countries, only a dozen hosts received the advanced backdoor payload and one educational institution in Russia was targeted with QUIC RAT, suggesting a targeted espionage or theft operation attributed to a Chinese-speaking adversary.","DAEMON Tools official installers compromised with malware via supply chain attack since April 8, 2026.","DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware Ravie LakshmananMay 05, 2026Endpoint Security \u002F Software Security A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. \"These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers,\" Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin said. The installers have been trojanized since April 8, 2026, with versions ranging from 12.5.0.2421 to 12.5.0.2434 identified as compromised as part of the incident. The supply chain attack is active as of writing. AVB Disc Soft, the developer of the software, has been notified of the breach. Specifically, three different components of DAEMON Tools have been tampered with - DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe Any time one of these binaries is launched, which typically happens during system startup, an implant is activated on the compromised host. It's designed to send an HTTP GET request to an external server (\"env-check.daemontools[.]cc\") – a domain registered on March 27, 2026 – in order to receive a shell command that's run using the \"cmd.exe\" process. The shell command, for its part, is used to download and run a series of executable payloads. These include - envchk.exe, a .NET executable to collect extensive system information. cdg.exe and cdg.tmp, the former of which is a shellcode loader responsible for decrypting the contents of the second file and launching a minimalist backdoor that contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory. The Russian cybersecurity company said it observed several thousand infection attempts involving DAEMON Tools in its telemetry, impacting individuals and organizations in more than 100 countries, such as Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor has been delivered only to a dozen hosts, indicating a targeted approach. The systems that received the follow-on malware have been flagged as belonging to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. What's more, one of the payloads delivered via the backdoor is a remote access trojan dubbed QUIC RAT. The use of the C++ implant has been recorded against a lone victim: an educational institution located in Russia. \"This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner,\" Kaspersky said. \"However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear.\" The malware supports a variety of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP\u002F3, and comes equipped with capabilities to inject payloads into legitimate \"notepad.exe\" and \"conhost.exe\" processes. The activity has not been attributed to any known threat actor or group. But evidence points to it being the work of a Chinese-speaking adversary based on an analysis of the artifacts observed. The DAEMON Tools compromise is the latest in a growing list of software supply chain incidents in the first half of 2026, and follows similar high-profile breaches involving eScan in January, Notepad++ in February, and CPUID in April. \"A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,\" Kucherin, senior security researcher at Kaspersky GReAT, said in a statement shared with The Hacker News. \"Because of that, the DAEMON Tools attack has gone unnoticed for about a month. This period of time, in turn, indicates that the threat actor behind this attack is sophisticated and has advanced offensive capabilities. Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data breach, endpoint security, Malware, network security, Remote Access Trojan, software security, supply chain attack, Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002Fdaemon-tools-supply-chain-attack.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEghQDcWhFHnIEeEngbqyPFjkweCMgT7FoZRRZV0WYRuHg1cHip2O0lw2ahMc7jhJnzOCqqrLhzpM9w-O3eLpVdiCvI4C3-RD6XwqTkDxWdhzkS-W2BsbLy_SFwnjykdvvhuhjGnwPkFpOSJiapeWULhqx9er8hDH0sCCtoK51OrH4nSYqc_oAZwILcOi1A2\u002Fs1600\u002Fdaemon.jpg","2026-05-05T16:07:00+00:00","2026-05-05T18:00:16.992146+00:00",9,[18,21,24,26],{"name":19,"type":20},"DAEMON Tools","product",{"name":22,"type":23},"AVB Disc Soft","vendor",{"name":25,"type":23},"Kaspersky",{"name":27,"type":28},"Digital Code Signing","technology","26b0b636-0e31-4db1-bffb-61bdf9f20a58",{"id":29,"icon":31,"name":32,"slug":33},null,"Supply Chain","supply-chain",[35,40],{"category":36},{"id":37,"icon":31,"name":38,"slug":39},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":41},{"id":42,"icon":31,"name":43,"slug":44},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[46,50,53,56,59],{"type":47,"value":48,"context":49},"domain","env-check.daemontools.cc","C2 server for initial implant beaconing; registered March 27, 2026",{"type":39,"value":51,"context":52},"QUIC RAT","Remote access trojan delivered to educational institution victim in Russia",{"type":39,"value":54,"context":55},"envchk.exe",".NET executable payload for system information collection",{"type":39,"value":57,"context":58},"cdg.exe","Shellcode loader for decrypting and executing minimalist backdoor",{"type":39,"value":60,"context":61},"cdg.tmp","Encrypted shellcode payload decrypted and executed by cdg.exe"]