Full Report
A newly identified supply chain attack targeting DAEMON Tools software has compromised its installers to serve a malicious payload, according to findings from Kaspersky. "These installers are distributed from the legitimate website of DAEMON Tools and are signed with digital certificates belonging to DAEMON Tools developers," Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, Leonid
Analysis Summary
# Incident Report: DAEMON Tools Supply Chain Attack
## Executive Summary
A sophisticated supply chain attack compromised the official DAEMON Tools distribution infrastructure, resulting in the delivery of trojanized installers (versions 12.5.0.2421 to 12.5.0.2434). The attackers utilized legitimate digital certificates and the official website to distribute a multi-stage backdoor, eventually deploying the "QUIC RAT" to highly targeted victims. The campaign, attributed with some confidence to a Chinese-speaking adversary, impacted thousands of users globally while focusing deep exploitation on a select few government and industrial entities.
## Incident Details
- **Discovery Date:** May 2026
- **Incident Date:** April 8, 2026 – Ongoing (at time of report)
- **Affected Organization:** AVB Disc Soft (DAEMON Tools)
- **Sector:** Software Development / Utilities
- **Geography:** Global (100+ countries); Targeted victims in Russia, Belarus, Thailand.
## Timeline of Events
### Initial Access
- **Date/Time:** March 27, 2026 (Domain Registration); April 8, 2026 (First Malicious Installer)
- **Vector:** Supply Chain Compromise
- **Details:** Threat actors compromised the build or distribution environment of DAEMON Tools. They modified legitimate binaries (`DTHelper.exe`, `DiscSoftBusServiceLite.exe`, `DTShellHlp.exe`) and signed them with the developer’s valid digital certificate.
### Lateral Movement
- **Details:** After initial infection, the "minimalist backdoor" was used to deploy follow-on payloads. Specifically, "QUIC RAT" was observed being deployed to move deeper into targeted environments, such as a Russian educational institution.
### Data Exfiltration/Impact
- **Details:** System reconnaissance via `envchk.exe` collected extensive host information. The ultimate impact remains under investigation but involves potential cyberespionage against retail, scientific, government, and manufacturing sectors.
### Detection & Response
- **How it was discovered:** Kaspersky researchers identified anomalies in DAEMON Tools binaries via telemetry.
- **Response actions taken:** Developer (AVB Disc Soft) was notified; public disclosure by Kaspersky to warn users and organizations.
## Attack Methodology
- **Initial Access:** Compromise of legitimate software update/distribution channel.
- **Persistence:** Trojanized services (`DTHelper.exe`) run automatically at system startup.
- **Privilege Escalation:** Not explicitly detailed, but likely inherited from the installer’s administrative rights.
- **Defense Evasion:** Valid digital signatures; injection of payloads into legitimate processes like `notepad.exe` and `conhost.exe`.
- **Credential Access:** Not specified in initial findings.
- **Discovery:** Use of `envchk.exe` for extensive system information gathering.
- **Lateral Movement:** Deployment of QUIC RAT via a multi-stage downloader.
- **Collection:** System metadata and potentially sensitive files via backdoor commands.
- **Exfiltration:** Use of various C2 protocols (QUIC, HTTP/3, DNS, WSS) to bypass network filters.
- **Impact:** System compromise and potential long-term espionage/data theft.
## Impact Assessment
- **Financial:** Unknown; potential for high costs associated with cleanup and "big game hunting."
- **Data Breach:** System metadata gathered from thousands; deep access to sensitive organizations.
- **Operational:** Software update mechanism compromised, requiring a full rebuild of the distribution pipeline.
- **Reputational:** Significant damage to DAEMON Tools as a "trusted" software provider.
## Indicators of Compromise
- **Network indicators:**
- `env-check.daemontools[.]cc`
- **File indicators:**
- `DTHelper.exe` (Trojanized)
- `envchk.exe` (Reconnaissance tool)
- `cdg.exe` / `cdg.tmp` (Shellcode loader/Backdoor)
- **Behavioral indicators:**
- Legitimate DAEMON Tools processes spawning `cmd.exe` to execute external shell commands.
- Unexpected QUIC or HTTP/3 traffic from utility software.
## Response Actions
- **Containment:** Advised isolation of all machines running affected versions of DAEMON Tools.
- **Eradication:** Notification of the vendor to revoke compromised certificates and clean update servers.
- **Recovery:** Users must uninstall compromised versions and perform full system scans.
## Lessons Learned
- **Key takeaways:** Valid digital signatures are no longer a guarantee of safety; supply chains remain the most effective "blind spot" for bypassing perimeter security.
- **What could have been done better:** Improved integrity monitoring on the vendor's build server could have detected the unauthorized modification of binaries before they were signed and distributed.
## Recommendations
- **Vendor:** Implement Multi-Factor Authentication (MFA) and strict access controls for build environments and signing keys.
- **Organizations:** Utilize EDR/XDR to monitor for "Living off the Land" techniques (e.g., installers spawning shells) and implement application whitelisting with strict version controls.
- **General:** Verify the integrity of downloaded software against known-good hashes from independent sources when possible.