DAEMON Tools supply chain attack since April 8, 2026 has compromised officially signed installers to silently deliver targeted malware including QUIC RAT to organizations across 100+ countries.In this article we cover all the story.
Imagine for a second you visit the official website of a popular software, download the installer and it even has a valid digital certificate. You click Next Next Finish and think everything is fine. But at that moment, a silent door to remote control has opened within your system. This is what happened in April 2026 when the official installers of DAEMON Tools a software trusted by millions of people around the world were secretly compromised and no one knew for a whole month.
This is not a small matter. A software supply chain attack is one of the most dangerous and difficult cyberattack vectors of todays digital age. Even if you scan your virus on VirusTotal, the certificate is valid and the source is official and you can still get infected. And the DAEMON Tools case has proven this to be true once again.
DAEMON Tools Supply Chain Attack
A silent but highly calculated operation began on 8 April 2026. Kaspersky senior researchers Igor Kuznetsov Georgy Kucherin Leonid Bezvershenko and Anton Kargin detected something unusual in their threat intelligence telemetry. Malicious code was planted in installers of versions 12.5.0.2421 to 12.5.0.2434 distributed from the official servers of DAEMON Tools. And these installers were signed with valid digital certificates from the developers of DAEMON Tools.
That is in simple language the software itself was original and the certificate was real, the website was also genuine only the content inside was tampered. Specifically three critical components were altered.
DTHelper.exe DiscSoftBusServiceLite.exe and DTShellHlp.exe are three files that run automatically upon system startup. Whenever the system boots a hidden implant is activated and sends HTTP GET requests to an external server env-check.daemontools[.]cc. This domain itself was registered on 27 March 2026 meaning the attack was planned months in advance.
The serverreceive shell commands that would be executed via cmd.exe and then initiate next-stage payload delivery. Chain included three key malicious executables
The first was envchk.exe a .NET-based tool that collected detailed information about the infected system. Operating system version, hardware specifications, network configuration and installed programs etc. were all passed to the attacker.
The second was cdg.exe a shellcode loader that decrypted an encrypted secondary file cdg.tmp and launched it into memory. This was a minimalist but powerful backdoor that silently connected to a remote server downloaded files executed shell commands and ran in-memory shellcode without leaving a trace on disk.
And third QUIC RAT was deployed on selected targets. It is a Remote Access Trojan written in C++ that supports all protocols including HTTP UDP TCP WSS QUIC DNS and HTTP/3. Its naive feature was that it injected its malicious payloads into notepad.exe and conhost.exe completely legitimate Windows processes thereby confusing traditional endpoint detection solutions.
Kasperskys telemetry showed that there were some thousand infection attempts globally in more than 100 countries including Russia, Brazil, Turkey, Spain, Germany, France, Italy and China. But here an important point the next-stage backdoor reached only 12 hosts.
This was not random spreading it was a deliberate and targeted selection. The organizations specifically targeted were from the retail scientific research government and manufacturing sectors in Russia Belarus and Thailand. QUIC RAT was only distributed to one educational institution in Russia. This pattern reveals a sophisticated select and strike not spray and pray approach. The attacker established footholds throughout the world but activated only those people he truly loved.
The Attack That Will Change Everything
The biggest and most troubling aspect of this attack is not just the malware itself but the exploitation of trust. In today security landscape we consider digital signatures a guarantee. Antivirus software places greater trust in signed files. IT teams also whitelist signed installers. And this is the gap this attacker expertly exploited.
Georgy Kucherin senior researcher at Kaspersky GReAT, made an important point This attack remained undetected for a month and this directly proves the sophistication of this attack. Its hard to imagine how many systems could be infected how much data could be exfiltrated and how many organizations could be compromised in a month.
Now lets look at it in another context. This attack is not an isolated one. Already in the first half of 2026, we have seen: January 2026 eScan antivirus update servers compromised. February 2026 Notepad++ update mechanism hijacked. April 2026 CPUID Software distributed STX RAT. And now May 2026 DAEMON Tools. This pattern clearly indicates that the software supply chain has now become a preferred attack surface for advanced threat actors.
There is no confirmed threat group name yet regarding the attribution but Kaspersky researchers have analyzed the artifacts and strongly indicate that this is the work of a Chinese-speaking adversary. The TTPs payload design and target selection all point towards a nation-state level operation and whether it be cyberespionage or big game hunting i.e ransomware or data theft on high-value targets.
AVB Disc Soft the developer of DAEMON Tools has been notified by Kaspersky. However until patches and clean installers are officially released and the vulnerability is still active.If you are an IT administrator security analyst, or have DAEMON Tools installed on your network and Kaspersky recommendation is clear Forward and isolate infected machines.
Any system running versions 12.5.0.2421 to 12.5.0.2434 is considered compromised. Hunt for env-check.daemontools[.]cc in network traffic. Perform memory forensics and especially for unusual injections of notepad.exe and conhost.exe. And tune your EDR/XDR tools for in-memory shellcode execution.
This incident proves once again that downloading from an official source is no longer enough. Supply chain security and software composition analysis (SCA) behavior-based detection and zero-trust architecture are no longer luxuries but necessities.
The most dangerous thing in cybersecurity isn’t what you do not know and the most dangerous thing is what you think you understand. Trusting DAEMON Tools was perfectly logical. The certificate was real. The website was genuine. But everything inside had been changed. This is the real pain of supply chain attacks. And until we replace implicit trust with verify everything in our security models and these attacks will continue to happen and we will be shocked again a month later.
