A sophisticated supply chain attack has compromised installers of the popular DAEMON Tools software, enabling attackers to distribute malicious payloads to unsuspecting users. Security researchers at Kaspersky have detailed how the trojanized installers, distributed directly from the official DAEMON Tools website and digitally signed, have been active since April 8, 2026. This latest incident highlights the persistent threat of software supply chain attacks, a growing concern in the cybersecurity landscape of 2026.
The compromised versions of DAEMON Tools software range from 12.5.0.2421 to 12.5.0.2434. According to Kaspersky, three specific components within the software, DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, were tampered with. These components are typically launched during system startup, ensuring the malicious implant is activated on infected hosts.
DAEMON Tools Supply Chain Attack Unveiled
Once activated, the implant on a compromised system initiates an HTTP GET request to an external server, “env-check.daemontools[.]cc.” This domain was registered recently, on March 27, 2026. The purpose of this request is to receive shell commands that are then executed through the “cmd.exe” process. These commands are designed to download and deploy a series of further malicious executables.
These subsequent payloads include “envchk.exe,” a .NET executable tasked with gathering extensive information about the compromised system. Another critical component involves “cdg.exe” and “cdg.tmp.” “cdg.exe” functions as a shellcode loader, responsible for decrypting the contents of “cdg.tmp” and launching a minimalist backdoor. This backdoor then establishes communication with a remote server, from which it can download files, execute shell commands, and deploy shellcode payloads directly into memory.
Kaspersky’s telemetry data revealed tens of thousands of infection attempts involving DAEMON Tools across over 100 countries, affecting both individuals and organizations. However, the more advanced stage backdoor malware was deployed to a significantly smaller number of hosts, estimated to be around a dozen. This suggests a targeted approach by the attackers, focusing on specific entities rather than a broad dissemination of the final exploit.
Targeted Operations and Advanced Capabilities
The systems that received the follow-on malware were identified as belonging to organizations in the retail, scientific, government, and manufacturing sectors. These targeted entities were located in Russia, Belarus, and Thailand. Notably, one of the payloads delivered via the backdoor was a remote access trojan (RAT) known as QUIC RAT. This C++ implant was deployed against a single victim, an educational institution in Russia.
“This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner,” Kaspersky researchers stated. While the exact motive – whether it be cyberespionage or large-scale financial targeting (“big game hunting”) – remains unclear, the sophistication of the operation is evident.
The malware exhibits advanced capabilities, supporting a wide array of command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. Furthermore, it possesses the ability to inject payloads into legitimate system processes such as “notepad.exe” and “conhost.exe,” making its detection more challenging.
While the attack has not been officially attributed to any known threat actor or group, analysis of the observed artifacts suggests a connection to Chinese-speaking adversaries. The complexity and stealth employed in this DAEMON Tools compromise indicate a highly skilled adversary.
The DAEMON Tools incident follows a series of other significant software supply chain attacks observed in early 2026, including breaches affecting eScan in January, Notepad++ in February, and CPUID in April. These incidents underscore a persistent trend where attackers exploit the inherent trust users place in legitimate software distributions.
“A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor,” stated Georgy Kucherin, senior security researcher at Kaspersky GReAT. The fact that the DAEMON Tools attack went unnoticed for approximately a month further highlights the attacker’s advanced capabilities. Given the high complexity observed, organizations are strongly advised to isolate systems with DAEMON Tools installed and conduct thorough security sweeps to identify and prevent the further spread of malicious activity within their networks.
The ongoing investigation will likely focus on identifying the full scope of the targeted operations and the ultimate objectives of the attackers. Until these details emerge, organizations worldwide will need to remain vigilant and implement robust security measures to mitigate the risks associated with supply chain vulnerabilities. The lack of definitive attribution leaves open questions about the evolving tactics and motivations of advanced persistent threats operating in the global cybersecurity arena.