Imagine buying a sealed jar of peanut butter from a supermarket you trust completely — only to discover the factory that made it had secretly added something harmful before sealing the jar. You never suspected it because the label looked real and the seal was unbroken.
A supply chain attack works the same way in the software world. Instead of hacking your computer directly, attackers compromise the software you download from a trusted source — like an official website. Because the software looks legitimate, your security tools often don't flag it. In this case, hackers tampered with DAEMON Tools — a popular Windows utility used by millions — and slipped malware inside it. Every user who downloaded the software from the official site unknowingly installed a backdoor on their own machine.
Introduction
On April 8, 2026, thousands of Windows users downloaded what appeared to be a routine update to DAEMON Tools — a widely used virtual disk emulation utility. What they actually installed was a trojanized binary carrying a persistent backdoor capable of harvesting system data, executing remote commands, and in targeted cases, deploying a sophisticated multi-protocol Remote Access Trojan (RAT).
Discovered and disclosed by Kaspersky's Global Research and Analysis Team (GReAT), this supply chain attack affected users across more than 100 countries before detection. The attack evaded scrutiny for nearly a month, in part because the compromised installers were digitally signed using legitimate certificates belonging to AVB Disc Soft, the software's developer. According to Kaspersky telemetry, nearly 19,500 malicious packages were found in open-source projects by end of 2025 — a 37 percent increase year-over-year — and supply chain attacks have now become the most common cyberthreat businesses faced over the past twelve months.
This post breaks down exactly how the DAEMON Tools compromise worked, why it succeeded, who was targeted, and what defenders need to do right now.
How Attackers Compromised the DAEMON Tools Build Pipeline
The most alarming aspect of this attack is not the malware itself — it is where the malware was inserted. Kaspersky's analysis concluded that attackers likely compromised the software's build pipeline, injecting malicious assembly code directly into specific binaries during the compilation process. This technique aligns with MITRE ATT&CK technique T1195.002 (Compromise Software Supply Chain).
The Trojanized Binaries
Affected versions span 12.5.0.2421 through 12.5.0.2434, released after April 8. Three core binaries were tampered with inside the installation directory (e.g., C:\Program Files\DAEMON Tools Lite):
DTHelper.exeDiscSoftBusServiceLite.exeDTShellHlp.exe
All three remained digitally signed by AVB Disc Soft, meaning standard signature verification would show them as clean. The malicious backdoor was implanted in the startup code responsible for initializing the CRT (C Runtime) environment. This is particularly insidious: the infection activates on every system boot, before most user-space monitoring tools are fully operational.
The C2 Typosquatting Domain
Once active, the backdoor establishes persistence and sends HTTP GET requests to a command-and-control server at env-check.daemontools[.]cc — a domain registered on March 27, 2026, deliberately crafted to typosquat the legitimate daemon-tools[.]cc download domain. The C2 server responds with a shell command that is executed via cmd.exe, which then fetches and runs additional payloads.
Important: This typosquatting domain was registered nearly two weeks before the first trojanized installer appeared. The attackers pre-positioned their infrastructure well in advance — a hallmark of deliberate, coordinated threat actor planning, not opportunistic exploitation.
The Three-Stage Attack Chain: From Broad Net to Precision Strike
What makes this campaign analytically interesting is its two-phase targeting model: cast wide, then strike precise.
Stage 1 — Mass Information Collection
The first payload deployed is a lightweight information stealer. It collects:
- Hostname and MAC address
- DNS domain name
- List of running processes and installed software
- System locale and language settings
This data is exfiltrated back to the C2 server, giving the threat actors a detailed victim profile. The technique maps to MITRE ATT&CK T1082 (System Information Discovery) and T1016 (System Network Configuration Discovery). Thousands of systems across more than 100 countries received this first-stage payload — with the heaviest concentration in Brazil, China, France, Germany, Italy, Russia, Spain, and Turkey.
Stage 2 — Selective Backdoor Deployment
Based on profiling results, only a small subset of systems — roughly a dozen — received the second-stage payload: a minimalistic but capable backdoor. This implant can:
- Execute arbitrary shell commands
- Download and run additional files
- Execute shellcode modules entirely in memory (MITRE ATT&CK T1055 — Process Injection)
The organizations targeted at this stage include government agencies, scientific institutions, manufacturing companies, and retail businesses located in Russia, Belarus, and Thailand. Approximately 10 percent of all affected machines belong to businesses and organizations.
Stage 3 — QUIC RAT Deployment
In at least one confirmed case targeting a Russian educational institution, the backdoor was used to deploy a sophisticated implant dubbed QUIC RAT — a C++ malware strain obfuscated with control flow flattening and statically linked with the WolfSSL library.
QUIC RAT supports an unusually broad range of C2 communication protocols:
| Protocol | Purpose |
|---|---|
| HTTP / HTTP/3 | Standard and modern web traffic |
| QUIC | Low-latency encrypted transport |
| DNS | Covert channel via DNS queries |
| TCP / UDP | Raw socket communication |
| WSS (WebSocket Secure) | Encrypted bidirectional comms |
The RAT can inject payloads directly into legitimate system processes — specifically notepad.exe and conhost.exe — making forensic detection substantially harder. Kaspersky has not yet attributed this campaign to a known threat group, though Chinese-language artifacts were identified within the malicious implants.
Pro Tip: When investigating potential supply chain compromises, hunt for processes with unexpected network connections — particularly
notepad.exeorconhost.exeinitiating outbound traffic. These are virtually never legitimate behaviors and should trigger immediate SOC escalation.
Why This Attack Succeeded: The Trust Problem in Software Distribution
Why did this go undetected for nearly a month? The answer comes down to one word: trust.
Digital Signatures Do Not Guarantee Integrity
Modern enterprise environments rely heavily on code signing as a trust indicator. EDR tools, application allowlisting solutions, and even Windows SmartScreen treat signed binaries as lower-risk. When attackers compromise the build pipeline upstream, they inherit the developer's signing certificate. The resulting binary is indistinguishable from legitimate software at the signature level.
This is precisely what Kaspersky's senior researcher Georgy Kucherin flagged: "A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor."
Disk Emulation Software Runs with Elevated Privileges
DAEMON Tools routinely requires administrative privileges to mount disk images as virtual drives. This makes it an ideal vector — malware embedded in the binary inherits those elevated permissions without requiring any privilege escalation. This behavior relates to MITRE ATT&CK T1548 (Abuse Elevation Control Mechanism) in terms of real-world impact.
The Attack Sat in Blind Spots Across Multiple Frameworks
| Security Framework | Gap Exposed |
|---|---|
| NIST CSF — Detect | Insufficient integrity monitoring of vendor software updates |
| CIS Control 2 — Software Inventory | Trojanized versions indistinguishable without hash validation |
| ISO 27001 — A.15 Supplier Relationships | Weak third-party software integrity assurance |
| MITRE ATT&CK — T1195.002 | Lack of build pipeline monitoring at vendor level |
The incident also has compliance implications. Organizations subject to SOC 2 Type II requirements around change management, or those under NIS2 Directive in Europe, now face questions about whether their third-party software vetting processes were sufficient.
Detection, Response, and Hardening Recommendations
If your organization uses DAEMON Tools — or any third-party utility with similar install profiles — the following response steps apply immediately.
Immediate Incident Response Actions
- Isolate any system running DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434
- Audit process creation logs from April 8 onward for
cmd.exechild processes spawned by DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe - Check DNS logs for queries to
env-check.daemontools[.]ccor any subdomain ofdaemontools[.]ccthat is not the officialdaemon-tools[.]cc - Run memory forensics on any system flagged for anomalous behavior — QUIC RAT operates in-memory, leaving minimal disk artifacts
- Update to DAEMON Tools version 12.6.0.2445, which AVB Disc Soft released following responsible disclosure and which no longer exhibits malicious behavior
Longer-Term Hardening Measures
| Control | Implementation | Risk Reduction |
|---|---|---|
| Software Hash Validation | Compare SHA-256 of downloaded binaries against known-good hashes before deployment | High — catches tampered binaries post-signing |
| Network Egress Filtering | Block unknown outbound domains, enforce DNS filtering | High — disrupts C2 beaconing |
| Process Behavior Monitoring | Alert on notepad.exe / conhost.exe making network connections | High — detects in-memory RAT activity |
| Vendor Security Assessment | Require SBOM (Software Bill of Materials) from software vendors | Medium — improves supply chain visibility |
| Privileged Software Isolation | Run disk-mounting utilities in sandboxed environments | Medium — limits blast radius |
Key Takeaways
- Verify before you trust: Digital signatures alone are insufficient. Implement hash-based integrity checks for any third-party software your organization deploys at scale, especially utilities with elevated privileges.
- Audit from April 8 onward: If DAEMON Tools was present on any machine, that date is your forensic starting point. Look for child processes under the three compromised binaries.
- Treat software updates as an attack surface: Supply chain attacks grew 37 percent in 2025. Every software update — from an official vendor — now requires scrutiny equivalent to an unknown executable.
- Monitor for protocol-diverse C2: QUIC RAT supports HTTP, DNS, QUIC, TCP, UDP, and WSS. Perimeter defenses that only block traditional C2 ports will miss it.
- Build supplier security into your risk program: ISO 27001 Annex A.15 and NIST CSF's "Identify" function both call for supplier relationship management — this incident shows that gap has real consequences.
- Update to version 12.6.0.2445 immediately and do not run the compromised versions under any circumstances.
Conclusion
The DAEMON Tools supply chain attack is a textbook demonstration of why perimeter defenses and signature-based trust models are no longer sufficient. Attackers who compromise a build pipeline inherit everything a trusted vendor has built: signed binaries, legitimate download infrastructure, and the implicit confidence of users who have no reason to be suspicious.
The narrow targeting of high-value organizations in Russia, Belarus, and Thailand — amid thousands of broad infections — suggests a patient, methodical threat actor whose ultimate intent, whether cyberespionage or a ransomware prelude, remains unconfirmed. What is confirmed is that this was the fourth supply chain compromise Kaspersky investigated in 2026 alone.
For defenders, the actionable next step is straightforward: run a software inventory audit today, identify every third-party utility running with elevated privileges, and implement hash validation and behavioral monitoring for those tools. Supply chain security is no longer a theoretical risk. It is a present operational reality.
Frequently Asked Questions
Q: Am I affected if I only use DAEMON Tools at home, not in an enterprise environment? A: Yes. The initial information-stealing payload was deployed broadly to thousands of home and business users across more than 100 countries. While the more sophisticated backdoor and QUIC RAT were reserved for high-value targets, any system running versions 12.5.0.2421 through 12.5.0.2434 should be considered potentially compromised. Uninstall the affected version, run a full antivirus scan, and update to 12.6.0.2445.
Q: How did the attackers get into the DAEMON Tools build pipeline in the first place? A: Kaspersky has not publicly confirmed the exact initial access vector. However, the injection of malicious assembly code into specific binaries during the build process points to either a compromise of a developer's account or machine, or a direct breach of the build/CI infrastructure. This aligns with supply chain attack patterns seen in previous incidents involving eScan, Notepad++, and CPU-Z in 2026.
Q: Why did antivirus tools not detect this sooner? A: The compromised binaries retained valid digital signatures from AVB Disc Soft. Many endpoint security products treat signed software from known vendors as lower-risk, which allowed the malware to persist for nearly a month undetected. Behavioral detection — rather than signature-based scanning — is what ultimately flagged the anomaly in Kaspersky's telemetry.
Q: What does QUIC RAT's use of multiple protocols mean for defenders?
A: It means no single firewall rule or network block will stop it. QUIC RAT can shift between HTTP, DNS, TCP, UDP, WSS, and QUIC depending on what is available, making it resilient to partial network controls. Defenders need behavior-based detection — specifically watching for unexpected outbound connections from system processes like notepad.exe and conhost.exe — rather than relying solely on blocked ports or domains.
Q: Is there any attribution for who conducted this attack? A: Kaspersky identified Chinese-language artifacts within the malicious implants but has not attributed the campaign to any known threat actor group. The narrow victim profile targeting government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand, combined with hands-on follow-up actions and typos in executed commands, suggests a human-operated intrusion campaign rather than automated ransomware deployment. The intent — cyberespionage or financial crime — remains officially unclear.
Enjoyed this article?
Subscribe for more cybersecurity insights.