ACCORDING to Kaspersky, a newly identified supply chain attack has compromised DAEMON Tools installers with a malicious payload, distributed from the official DAEMON Tools website and signed with digital certificates belonging to DAEMON Tools developers. The installers have been trojanised since 8 April 2026, with affected versions ranging from 12.5.0.2421 to 12.5.0.2434, and the attack remains active at the time of writing, with AVB Disc Soft notified of the breach.
Three components were tampered with: DTHelper[.]exe, DiscSoftBusServiceLite[.]exe and DTShellHlp[.]exe, each of which triggers an implant during system startup to send an HTTP GET request to env-check.daemontools[.]cc to receive a shell command. The shell then downloads and runs payloads such as envchk[.]exe and cdg[.]exe/cdg[.]tmp, including a backdoor that can contact a remote server to download files and execute commands, with QUIC RAT identified as one of the delivered payloads.
The attack has produced several thousand infection attempts across more than 100 countries, affecting users including those in Russia, Belarus, and Thailand, while the next-stage backdoor was delivered to only a dozen hosts, suggesting a targeted approach. The activity has not been attributed to a specific threat actor, though evidence points to a Chinese-speaking adversary based on observed artifacts.