ACCORDING to Kaspersky, the widely used Daemon Tools disk imaging utility was backdoored in a month‑long supply‑chain compromise that began on 8 April 2026 and remained active at the time of reporting Kaspersky official blog. Attackers tampered with official installers signed by the developer’s certificate, distributing malicious builds from the legitimate Daemon Tools website.
The trojanised installers affect versions 12.5.0.2421 through 12.5.0.2434 of the Windows software Ars Technica. Three components, DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe, were altered to execute at startup and contact env‑check.daemontools.cc via an HTTP GET request to receive further commands.
Once contacted, the server sends instructions that download and run secondary payloads such as envchk.exe and cdg.exe, which collect MAC addresses, hostnames, DNS domain names, running processes, installed software and system locales before exfiltrating the data The Hacker News. About a dozen follow‑on payloads were observed on infected machines spanning government, scientific, manufacturing and retail organisations.
The attack used a valid code‑signing certificate, allowing the malicious files to bypass Windows SmartScreen and other trust mechanisms; no CVE has been assigned and the threat actors behind the campaign have not been identified Kaspersky. The compromise persisted for over a week after discovery, highlighting the risk of supply‑chain abuse even for long‑standing utilities.
Defenders should immediately verify the cryptographic hash of any Daemon Tools installer against clean builds released prior to 8 April 2026 and remove any instances of the affected version range from endpoints Kaspersky. Blocking outbound HTTP traffic to env‑check.daemontools.cc at the firewall or proxy will prevent the malware from retrieving additional commands.
Additionally, enable process‑creation logging for DTHelper.exe, DiscSoftBusServiceLite.exe and DTShellHlp.exe and alert on any execution of envchk.exe or cdg.exe; applying application‑control policies to allow only known good binaries signed by the Daemon Tools vendor will reduce the chance of re‑infection Ars Technica. Staying vigilant for anomalous network connections from these utilities remains essential until a clean update is officially released.