DAEMON Tools installers trojanized in supply-chain breach
Official DAEMON Tools installers were trojanized from April 8, 2026; signed packages contacted env-check.daemontools[.]cc to fetch commands that installed backdoors.
Kaspersky researchers found that official DAEMON Tools installers hosted on the vendor’s site were trojanized beginning April 8, 2026. The compromised installer packages were digitally signed with developer certificates and include versions 12.5.0.2421 through 12.5.0.2434.
Three program components were altered: DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe. Each compromised binary launches an implant when executed, a behavior that typically occurs during system startup. The implant issues an HTTP GET request to env-check.daemontools[.]cc, a domain Kaspersky records as registered March 27, 2026, and uses commands run by cmd.exe to download and run additional files.
Files retrieved by the implant include envchk.exe, a .NET tool that gathers detailed system information, and two files named cdg.exe and cdg.tmp. Analysis shows cdg.exe acts as a shellcode loader that decrypts cdg.tmp and starts a small backdoor. That backdoor can retrieve files from remote servers, execute shell commands and load shellcode into memory.
Kaspersky observed the attackers delivering a remote access trojan known as QUIC RAT to a subset of victims. A separate C++ implant was recorded on a single educational institution in Russia. The malware family supports multiple command-and-control protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS and HTTP/3, and includes routines to inject payloads into legitimate processes such as notepad.exe and conhost.exe.
Telemetry from Kaspersky showed several thousand installation attempts across more than 100 countries, with activity observed in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China. Despite broad distribution of the tampered installers, the second-stage backdoor was pushed to approximately a dozen hosts. Those systems are linked to organizations in retail, scientific research, government and manufacturing in Russia, Belarus and Thailand.
The activity has not been publicly attributed to any known threat actor. Kaspersky reported artifacts consistent with a Chinese-speaking operator but stated the attackers’ objectives remain unclear. AVB Disc Soft, the developer of DAEMON Tools, has been notified of the breach.
Kaspersky recommended isolating machines with DAEMON Tools installed and conducting security sweeps to prevent lateral spread within corporate networks. The incident adds to several software supply-chain compromises reported in the first half of 2026.
