A supply chain attack on DAEMON Tools software has compromised its installers since April 8, 2026 and spread malicious payloads to users in more than 100 countries, according to a technical analysis by Kaspersky.
KEY FACTS
- Affected software DAEMON Tools installers for versions 12.5.0.2421 through 12.5.0.2434 were tampered with.
- Components altered Three binaries were modified, including DTHelper.exe and DiscSoftBusServiceLite.exe.
- Observed impact Several thousand infection attempts were seen, but the follow-on backdoor reached only a dozen hosts.
- Targeted victims Follow-on malware appeared on systems tied to retail, scientific, government and manufacturing organizations.
The altered installers were distributed from the legitimate DAEMON Tools website and carried digital certificates tied to the software maker. When the affected binaries launched, usually during startup, they contacted an external domain, env-check.daemontools.cc, to fetch a command that was then run through cmd.exe.
That command downloaded additional files, including envchk.exe, which collected system information, and cdg.exe, which acted as a shellcode loader. The loader decrypted a second file and launched a backdoor that could download files, run commands and execute shellcode in memory.
Kaspersky said the compromise has not been linked to any known threat group, although artifacts suggest a Chinese-speaking adversary. The company also noted that the next-stage malware reached only a small number of machines, which points to targeted use rather than broad distribution.
WHY IT MATTERS
The attack shows how signed software from a trusted vendor can bypass normal defenses and stay hidden for weeks. Organizations with DAEMON Tools installed may need to isolate affected systems and run checks for related activity to limit further spread inside their networks.