DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware
Official DAEMON Tools installers for Windows have been compromised to distribute malware, allowing attackers to maintain a persistent, targeted backdoor on select victim systems.

Official installers for DAEMON Tools have been compromised in a sophisticated supply chain attack, resulting in the distribution of trojanized software to users worldwide. Researchers at Kaspersky discovered that attackers successfully tampered with legitimate installers, which remain digitally signed by the software's developer, AVB Disc Soft The Hacker News. The compromise affects Windows versions 12.5.0.2421 through 12.5.0.2434 and has been active since April 8, 2026 The Hacker News.
The attack mechanism involves the modification of three specific DAEMON Tools components: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. When these binaries execute—typically during system startup—they trigger an implant that initiates an HTTP GET request to a malicious domain, env-check.daemontools[.]cc, to retrieve shell commands The Hacker News. These commands facilitate the download and execution of secondary payloads, including a .NET-based system information collector (envchk.exe) and a shellcode loader (cdg.exe) that deploys a minimalist backdoor The Hacker News.
While the initial infection has reached thousands of systems across more than 100 countries, the attackers have exercised significant restraint in their follow-on activity. Only about a dozen hosts have received the full backdoor, which is capable of executing shell commands, downloading additional files, and injecting payloads into legitimate processes like notepad.exe and conhost.exe The Hacker News. Among the identified payloads is a remote access trojan (RAT) known as QUIC RAT, which was observed targeting an educational institution in Russia The Hacker News.
The targeted nature of the secondary infections suggests a deliberate strategy, though the ultimate objectives—whether espionage or large-scale extortion—remain unclear The Hacker News. The malware is highly versatile, supporting a wide array of command-and-control (C2) protocols, including HTTP/3, QUIC, WSS, and DNS The Hacker News. Kaspersky researchers noted that the artifacts associated with the campaign point toward a Chinese-speaking adversary The Hacker News.
AVB Disc Soft has been notified of the breach, though users are advised to exercise caution as the attack bypasses traditional security measures by leveraging trusted, digitally signed binaries The Hacker News. This incident follows a series of similar supply chain compromises in early 2026, including attacks on eScan, Notepad++, and CPUID The Hacker News. The success of this campaign highlights the persistent risk posed by compromised software distribution channels, where implicit trust in vendor-signed updates allows malicious actors to maintain access for extended periods without detection The Hacker News.