DAEMON Tools installers compromised in new supply chain attack

DAEMON Tools installers have been compromised in a new supply chain attack, allowing attackers to distribute malicious payloads through legitimate software downloads. The trojanized installers were distributed from the official DAEMON Tools website and signed with valid digital certificates, making them appear legitimate to users. This sophisticated attack has been active since at least April 8, 2026, according to a recent report by The Hacker News.

The attack involved tampering with three core DAEMON Tools components: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. When launched, these components activate an implant that communicates with a malicious domain, env-check.daemontools[.]cc, to receive and execute shell commands. These commands are used to download and run further payloads, including envchk.exe for system information gathering and cdg.exe, which acts as a shellcode loader for a minimalist backdoor. This backdoor enables remote file downloads, command execution, and shellcode deployment.

While thousands of infection attempts were observed globally, the more advanced backdoor was deployed to only a dozen hosts, indicating a targeted approach. Affected entities include retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One payload, QUIC RAT, was specifically deployed against a Russian educational institution. The complexity of the attack, which bypasses traditional defenses by leveraging trusted software, suggests a highly capable adversary, possibly Chinese-speaking, though attribution remains unclear. This incident follows a series of recent supply chain compromises affecting software like eScan, Notepad++, and CPUID.

Source: The Hacker News