20260505-thehackernews.com-95b1b | Perceptive Security

< Back to index

DAEMON Tools Supply Chain Attack Compromises Official Installers with Malware

Published:

5 May 2026 at 16:07:00

Alert date:

5 May 2026 at 17:01:38

Source:

thehackernews.com

Supply Chain & Dependencies, Ransomware & Malware

A supply chain attack has compromised DAEMON Tools software installers with malware. The malicious installers are distributed from the legitimate DAEMON Tools website and are signed with valid digital certificates belonging to DAEMON Tools developers. Kaspersky researchers Igor Kuznetsov, Georgy Kucherin, and Leonid discovered this attack. The compromise affects official installers, making it particularly dangerous as users would trust downloads from the legitimate source. This represents a significant supply chain security incident affecting a popular software utility.

Technical details

Supply chain attack targeting DAEMON Tools software with compromised installers distributed from legitimate website and signed with valid certificates. Three components tampered with: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Upon execution, implant sends HTTP GET request to external server to receive shell commands. Payloads include envchk.exe (.NET executable for system info collection), cdg.exe (shellcode loader), and cdg.tmp (encrypted backdoor). Backdoor supports multiple C2 protocols (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3) and can inject payloads into notepad.exe and conhost.exe processes. QUIC RAT delivered as additional payload.

Mitigation steps:

Isolate machines having Daemon Tools software installed and conduct security sweeps to prevent further spreading of malicious activities inside corporate networks. Organizations should verify software integrity and monitor for signs of compromise on systems with affected DAEMON Tools versions.

Affected products:

DAEMON Tools versions 12.5.0.2421 to 12.5.0.2434
DTHelper.exe
DiscSoftBusServiceLite.exe
DTShellHlp.exe