DAEMON Tools Trojanized Since April—Backdoor Hit 100+ Countries

DAEMON Tools, the popular virtual drive emulation software, served backdoored installers from its official website for nearly a month before Kaspersky researchers caught the compromise. The supply chain attack infected systems in over 100 countries, with a smaller subset of government and manufacturing targets receiving a sophisticated second-stage RAT.

Kaspersky's Global Research and Analysis Team disclosed that trojanized installers shipped from April 8 through early May, delivering malware alongside the legitimate application.

Timeline and Scope

• March 27, 2026 - Attackers registered the C2 domain env-check.daemontools[.]cc
• April 8, 2026 - Trojanized installers began distribution from the official site
• May 5, 2026 - Compromise publicly disclosed; patched version 12.6.0.2445 released

Affected versions range from 12.5.0.2421 through 12.5.0.2434. Only DAEMON Tools Lite (the free version) was compromised—Pro and Ultra editions remained clean.

How the Attack Works

The malware embeds itself through three compromised binaries: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. On system startup, these trigger a multi-stage payload chain:

1. envchk.exe - Collects system fingerprinting data: hostname, MAC address, running processes, installed software, locale
2. cdg.exe - Decrypts and executes a minimalist shellcode loader
3. QUIC RAT - Final payload supporting HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3 protocols for C2 communication

The protocol diversity is notable. QUIC traffic blends with legitimate browser connections, DNS tunneling evades network monitoring, and HTTP/3 support suggests the attackers anticipated modern network inspection tools.

Targeted vs. Opportunistic

Kaspersky observed thousands of infection attempts across Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. But only about a dozen systems received the advanced backdoor—specifically retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand.

This two-tier approach suggests the attackers cast a wide net through the supply chain compromise, then selectively deployed sophisticated tooling against high-value targets. The pattern resembles similar APT tradecraft we've covered, where initial access campaigns filter victims before committing advanced capabilities.

Attribution Points to China

Kaspersky assessed the attack was "the work of a Chinese-speaking adversary" based on artifact analysis, though they stopped short of naming a specific group. The targeting of government and scientific entities, combined with the selective deployment of advanced payloads, fits the profile of Chinese state-sponsored operations.

However, researchers noted the intent remains unclear—the campaign could represent cyber espionage or "big game hunting" for future ransomware deployment.

Detection and Remediation

If you downloaded DAEMON Tools Lite between April 8 and May 5:

1. Uninstall the affected version immediately
2. Run a full system scan with updated antivirus signatures
3. Check for persistence mechanisms - Look for unusual scheduled tasks or services
4. Monitor network traffic for connections to env-check.daemontools[.]cc and related infrastructure
5. Update to version 12.6 or later from the official site (now clean)

Organizations should check endpoint detection logs for the following indicators:

• Process creation from DTHelper.exe, DiscSoftBusServiceLite.exe, or DTShellHlp.exe spawning unexpected children
• Outbound QUIC or DNS traffic to unusual destinations
• Memory-resident payloads injected into notepad.exe or conhost.exe

The Supply Chain Problem

DAEMON Tools has been around since 2000 and maintains a substantial installed base among users who need virtual drive functionality. The software's legitimate use case made it an attractive supply chain target—users trust the official download page, and security tools typically whitelist the application.

This attack joins a growing list of supply chain compromises targeting popular software. For defenders, the lesson is clear: download verification, software bill of materials tracking, and behavioral monitoring are essential even for trusted applications. The vendor's website is not a security guarantee.

Why This Matters

Supply chain attacks scale. One compromise reaches every user who downloads during the attack window, without requiring phishing, social engineering, or exploit development against individual targets. The attackers in this case traded stealth for reach—thousands of infections for the cost of compromising one build pipeline.

For organizations evaluating software supply chain risk, this incident demonstrates that even niche utilities can become vectors for sophisticated threat actors.