Ddos 
Kaspersky has uncovered a sophisticated supply chain attack targeting DAEMON Tools, the widely used disk imaging software. Starting from April 8, 2026, legitimate installers distributed directly from the official website were trojanized with a malicious payload, signed with valid digital certificates belonging to the developers.
The attack remains active at the time of writing, affecting versions 12.5.0.2421 through 12.5.0.2434.
Attackers managed to infect three core binaries within the software installation: DTHelper.exe, DiscSoft BusServiceLite.exe, and DTShellHlp.exe. Because these files are launched at machine startup, a backdoor is activated immediately in a dedicated thread.
The backdoor communicates with a typosquatted domain, env-check.daemontools[.]cc, which was registered just one week before the attack began. As the Kaspersky report notes, “Whenever one of these binaries is launched… a backdoor gets activated. This backdoor is implanted in the startup code responsible for initializing the CRT environment.”
The malicious server can return shell commands to execute PowerShell scripts, which then download and launch additional executable payloads.
While the initial infection has reached thousands of users across more than 100 countries, the attackers are being highly selective about their final targets.
The first stage involves an Information Collector, a .NET executable that profiles the infected machine. It harvests the MAC address, hostname, process list, and a list of installed software. Curiously, the code contains strings in Chinese, suggesting a Chinese-speaking threat actor.
After profiling, the attackers deployed a more complex minimalistic backdoor to only about a dozen machines. These high-value targets belong to government, scientific, and manufacturing organizations in Russia, Belarus, and Thailand.
This backdoor eventually serves as a delivery vehicle for the QUIC RAT, a C++ based implant that supports a staggering array of communication protocols, including HTTP/3 and DNS.
Kaspersky telemetry has observed thousands of infection attempts, with 10% of affected systems belonging to businesses and organizations. The primary concentrations of victims are in Russia, Brazil, Turkey, Spain, and Germany.
The targeted nature of the second-stage deploymentβmoving from thousands of victims to just a dozen specific organizationsβindicates a clear intent for either cyberespionage or “big game hunting”.
This incident is the latest in a rapid surge of supply chain attacks in 2026, following compromises of eScan, Notepad++, and CPU-Z. Kaspersky emphasizes that even widely used and trusted applications now represent a primary vector for compromise.
Organizations are urged to scrutinize any installations of DAEMON Tools made on or after April 8, 2026, and to move toward a strict “zero trust” strategy when evaluating third-party software.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
