Targeted Supply Chain Attack on DAEMON Tools Software Discovered
A recent investigation by Kaspersky has revealed a sophisticated supply chain attack targeting DAEMON Tools software. The attack involves tampering with the software’s installers, which are distributed through the official DAEMON Tools website and are signed with valid digital certificates from the developers. The compromised installers have been identified as affecting versions 12.5.0.2421 to 12.5.0.2434 and have been infiltrated since April 8, 2026. Notably, only the Windows version has been impacted, as confirmed by Kaspersky.
The malware embedded within the installers activates when users launch specific components of DAEMON Tools, which are typically initiated during system startup. This malware sends an HTTP GET request to an external server, prompting it to execute shell commands. The server in question, registered under the domain “env-check.daemontools[.]cc,” was created shortly before the attack began. The malware has already initiated thousands of infection attempts across more than 100 countries, including major regions such as Europe, South America, and Asia.
Kaspersky’s findings indicate that three critical components of DAEMON Tools have been altered: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Once these binaries are executed, they enable the downloading and execution of several executable payloads designed to compromise system integrity further. These payloads include envchk.exe, which collects comprehensive system data, and cdg.exe, a shellcode loader that decrypts additional files and establishes remote connections to download further malicious content.
The targeted nature of this attack is evident, as the follow-on malware has only been detected on a limited number of hosts in specific sectors, including retail, science, and government entities across Russia, Belarus, and Thailand. Among the malware’s capabilities is the QUIC RAT, a remote access trojan identified as being utilized against an educational institution in Russia. This precision suggests a deliberate strategy by the attackers, potentially motivated by cyberespionage objectives.
This incident reflects a growing trend in software supply chain attacks reported in 2026, aligning with other significant breaches involving eScan, Notepad++, and CPUID earlier in the same year. The covert deployment of such malware—especially when distributed through digitally signed software—exploits the inherent trust users place in official products, making detection challenging.
Kaspersky’s researchers have highlighted how such compromises can bypass traditional security measures. They advise organizations to isolate any machines running the compromised DAEMON Tools software and to conduct thorough security audits to prevent further systemic risks. When contacted for comment, AVB Disc Soft, the software’s developer, acknowledged the report and confirmed they are investigating the issue.
Subsequently, AVB Disc Soft has issued an update to remove the malicious elements, releasing the new version 12.6.0.2445, which addresses the vulnerability. The company stated that the breach was confined to the Lite version of the software and asserted that other products, including DAEMON Tools Pro and Ultra, were not impacted. They urged users to uninstall the affected version and run security scans with trusted antivirus solutions.
In summary, this incident underscores the critical need for proactive cybersecurity measures within organizations, particularly concerning supply chain vulnerabilities that can be exploited by adversaries lurking in the digital landscape. The complexities of the attack, including the techniques potentially utilized such as initial access, persistence, and privilege escalation, reflect an advanced level of threat sophistication, meriting vigilance among business owners and cybersecurity professionals alike.