Ethical Hacking News
A recent supply chain attack has compromised DAEMON Tools software, injecting malicious malware into its official installers. The attack is believed to have been carried out by a Chinese-speaking adversary, although no specific threat actor or group has been identified. The malicious payload includes several components, including a remote access trojan dubbed QUIC RAT. Organizations must remain vigilant and take proactive steps to protect themselves against such threats.
DAEMON Tools software developer was targeted by a sophisticated supply chain attack.The attack involved malicious payload injected into official installers, compromising them with malware.The Windows version was affected, while the Mac version remained unaffected.A Chinese-speaking adversary is believed to be behind the attack.The malicious software included components such as DTHelper.exe and DTShellHlp.exe.The attack sent HTTP GET requests to external servers to receive shell commands and download malware payloads.The malware was used in targeted attacks against organizations in Russia, Belarus, and Thailand.The attack demonstrated advanced capabilities and intent, possibly for cyberespionage or "big game hunting."
DAEMON Tools, a software developer known for its disk management and burning tools, has fallen victim to a sophisticated supply chain attack. The malicious payload was injected into the company's official installers, compromising them with malware. This development marks another high-profile breach in the first half of 2026, joining other notable incidents involving eScan, Notepad++, and CPUID.
According to Kaspersky researchers, the DAEMON Tools attack began on April 8, 2026, when the software's installers were found to be trojanized. The compromised versions of the software range from 12.5.0.2421 to 12.5.0.2434. Notably, only the Windows version was affected, while the Mac version remains unaffected. The attack is believed to have been carried out by a Chinese-speaking adversary, although no specific threat actor or group has been identified.
The malicious payload includes several components, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. When any of these binaries are launched, typically during system startup, an implant is activated on the compromised host. The implant sends an HTTP GET request to an external server ("env-check.daemontools[.]cc") to receive a shell command that's run using the "cmd.exe" process.
The shell command then downloads and runs several executable payloads, including envchk.exe, cdg.exe, and cdg.tmp. Envchk.exe is a .NET executable designed to collect extensive system information. The cdg.exe file acts as a shellcode loader responsible for decrypting the contents of cdg.tmp and launching a minimalist backdoor that contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory.
The use of this malicious software has been recorded against several organizations across various countries. In Russia, the compromised systems belong to retail, scientific, government, and manufacturing companies. In Belarus, the affected machines are linked to educational institutions, while Thailand is home to a single victim: an educational institution located in Russia.
Kaspersky researchers attribute the attack's targeted approach to the attacker's intent to conduct the infection with a specific goal in mind, whether it be cyberespionage or 'big game hunting.' The use of the QUIC RAT remote access trojan is another indicator of the adversary's sophisticated capabilities.
"This manner of deploying the backdoor to a small subset of infected machines clearly indicates that the attacker had intentions to conduct the infection in a targeted manner," said Kaspersky. "However, their intent – whether it is cyberespionage or ‘big game hunting’ – is currently unclear."
The activity has not been attributed to any known threat actor or group. However, evidence suggests that this attack may be linked to a Chinese-speaking adversary based on an analysis of the artifacts observed.
"It's clear that the attackers have advanced offensive capabilities," said senior security researcher at Kaspersky GReAT, Georgy Kucherin. "Because of that, it is thus of paramount importance for organizations to isolate machines having DAEMON Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks."
The attack serves as a reminder of the ongoing threat landscape and the need for vigilance in the face of sophisticated supply chain attacks. Organizations must remain vigilant and take proactive steps to protect themselves against such threats.
A representative from AVB Disc Soft, the developer of DAEMON Tools, stated that they are aware of the report and are currently investigating the situation. The team is "treating this matter with the highest priority" and working to assess and address any potential risks.
The development marks another high-profile breach in the first half of 2026, following other notable incidents involving eScan, Notepad++, and CPUID. As such, it serves as a reminder of the ongoing threat landscape and the need for vigilance in the face of sophisticated supply chain attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/DAEMON-Tools-Supply-Chain-Attack-A-Sophisticated-Malware-Campaign-Targeting-Global-Organizations-ehn.shtml
https://thehackernews.com/2026/05/daemon-tools-supply-chain-attack.html
Published: Wed May 6 03:29:46 2026 by llama3.2 3B Q4_K_M
