Listen to this Post
Introduction
A major supply chain security incident has emerged involving the widely used disk image mounting software DAEMON Tools. Security researchers have confirmed that official installers distributed from the vendor’s website were compromised and used to deliver multi-stage malware. The attack, first observed in April 2026, demonstrates how trusted software can be silently turned into a powerful infection vector. By leveraging legitimate digital signatures and stealthy payload execution, attackers managed to target thousands of systems across more than 100 countries, with a smaller subset of victims receiving highly specialized espionage tools.
Summary of the Original Incident
In early May 2026, researchers at Kaspersky discovered that multiple DAEMON Tools installer versions, specifically from 12.5.0.2421 to 12.5.0.2434, had been altered with malicious components. These installers were distributed through the official website beginning April 8, 2026, making the attack particularly dangerous due to its legitimacy.
The malicious installers were signed using valid digital certificates issued by AVB Disc Soft, the legitimate developer of DAEMON Tools. This allowed the infected software to bypass many security checks and appear trustworthy to both users and endpoint protection systems.
Security analysis revealed that three core executables inside the installation directory were modified: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These components were injected with backdoor functionality that activates during system startup.
Once executed, the malware initiates communication with a command-and-control domain, env-check.daemontools[.]cc, which closely mimics the legitimate DAEMON Tools domain but was registered shortly before the attack began. The infrastructure was designed to blend into normal traffic patterns while enabling remote control of infected systems.
Further investigation by SecureList uncovered the use of PowerShell commands to download and execute additional payloads. The attack followed a structured three-stage infection chain.
The first stage involved an information-gathering tool named envchk.exe, which collected system data such as MAC addresses, hostnames, DNS configuration, running processes, and installed applications. This data was then sent to a remote server controlled by attackers.
The second stage introduced a lightweight backdoor known as cdg.exe. This component allowed remote command execution, file downloading, and in-memory payload deployment. It also maintained persistent communication with attacker infrastructure through periodic heartbeat signals.
The third and most advanced stage included a QUIC-based remote access trojan (RAT) written in C++. This implant was heavily obfuscated and capable of using multiple communication protocols, including HTTP, TCP, UDP, DNS, and QUIC. It was also able to inject malicious code into legitimate Windows processes such as notepad.exe and conhost.exe.
The majority of infections were detected across countries including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. While most victims were individual users, targeted attacks focused on organizations in Russia, Belarus, and Thailand, indicating a strategic espionage campaign rather than random distribution.
What Undercode Say:
This incident highlights one of the most dangerous realities in modern cybersecurity: trust in software supply chains can be weaponized. DAEMON Tools is not a niche application; it is widely used for mounting disk images, meaning its installer has a broad and global user base. That makes it an ideal target for attackers seeking mass infiltration with minimal resistance.
The most alarming aspect of this campaign is the use of legitimate digital certificates. Signed malware significantly reduces detection rates because many security systems prioritize certificate validation as a trust indicator. In this case, attackers effectively turned authenticity into a disguise.
The attack structure also shows a high level of operational maturity. Instead of deploying a single payload, the attackers used a three-layer system. The first stage focuses on reconnaissance, the second establishes control, and the third provides advanced persistence and stealth. This modular approach allows selective targeting, which explains why only a small number of systems received the full QUIC RAT deployment.
The presence of Chinese-language strings inside envchk.exe suggests possible attribution, but this alone is not definitive. Threat actors often include misleading artifacts to complicate analysis. However, combined with infrastructure patterns and targeting behavior, it indicates a coordinated and likely state-aligned or state-tolerated operation.
Another important observation is the geographic distribution of victims. While infections are global, the high-value payloads were selectively deployed to systems in specific countries and sectors. This strongly suggests intelligence gathering objectives rather than financial cybercrime.
The use of PowerShell for payload delivery reinforces a growing trend: attackers are increasingly relying on native system tools to avoid detection. This “living off the land” technique makes traditional antivirus signatures less effective.
The QUIC RAT capability is particularly concerning. Support for modern protocols like HTTP/3 and QUIC indicates that attackers are preparing for environments where legacy detection systems are already becoming obsolete. Combined with process injection techniques, this allows deep system compromise with minimal visibility.
Overall, this attack reflects a shift toward hybrid espionage operations that blend supply chain compromise, legitimate tooling abuse, and multi-stage payload delivery. It demonstrates how even widely trusted software ecosystems can become vectors for global-scale infiltration.
Fact Checker Results
✔ DAEMON Tools installers were confirmed compromised between versions 12.5.0.2421–12.5.0.2434
✔ Attackers used valid digital certificates to sign malicious binaries
✔ Multiple-stage malware deployment and targeted espionage activity were verified by researchers
Prediction
Future supply chain attacks are likely to become more selective and stealth-focused, targeting trusted software with global distribution channels.
✔ Increased use of signed malware to bypass detection systems
✔ More modular multi-stage payload frameworks for adaptive espionage
✔ Expansion of stealth communication protocols like QUIC and HTTP/3 for persistence
🕵️📝Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
