DAEMON Tools Windows installers trojanized in month-long supply chain attack

Kaspersky has flagged a supply chain compromise of DAEMON Tools’ Windows installers, signed with the vendor’s legitimate certificates and distributed from the official site since April 8, 2026. Versions 12.5.0.2421 through 12.5.0.2434 carry tampered DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe binaries that fire on startup, beacon to env-check.daemontools[.]cc, and pull shell commands that fetch a .NET reconnaissance tool plus a shellcode loader and an in-memory backdoor. The Mac build is unaffected, and developer AVB Disc Soft says it is investigating.

Telemetry shows several thousand infection attempts across more than 100 countries, but the second-stage backdoor reached only about a dozen hosts in retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One Russian educational target received QUIC RAT, a C++ implant supporting HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3 channels and capable of injecting into notepad.exe and conhost.exe. Artifacts point to a Chinese-speaking actor, though attribution remains open.

The roughly month-long dwell time before detection underscores how digitally signed binaries from trusted vendors slip past perimeter controls. It also extends a 2026 pattern of installer-level compromises after eScan, Notepad++, and CPUID, reinforcing that endpoint trust assumptions tied to code signing and official download channels are no longer load-bearing on their own.