Key Takeaways
- The compromised versions range from 12.5.0.2421 to 12.5.0.2434 since April 8.
- The attackers affect users in more than 100 countries globally.
- The infection attempts reach several thousand systems based on telemetry data.
- The next stage of malware reaches only a limited number of targeted systems.
The DAEMON Tools Supply Chain Attack has led to the distribution of compromised installers through the official website. The affected installers were digitally signed using legitimate certificates, allowing the malicious files to appear trusted during installation. The incident impacts the Windows version of the software, while the Mac version remains unaffected.
Compromised Components And Malware Execution
The DAEMON Tools Supply Chain Attack involves tampering with three core components of the software, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. These binaries typically run during system startup. Once executed, they activate a hidden implant on the infected system.
The implant initiates communication with an external server using an HTTP request. It connects to a domain registered on March 27, 2026, to retrieve commands. These commands are executed through the system command interface, allowing the attackers to control further actions on the compromised machine.
In the next stage of the DAEMON Tools Supply Chain Attack, additional payloads. One of the files, envchk.exe, collects detailed system information. Other files, such as cdg.exe and cdg.tmp, work together to decrypt and launch a backdoor. This backdoor enables remote access, allowing file downloads, command execution, and in-memory payload deployment.
The malware also injects malicious code into legitimate system processes such as notepad.exe and conhost.exe. This behavior helps the threat remain hidden while maintaining control over the system. The attack uses multiple communication protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3, to maintain connectivity with remote servers.
Global Impact And Targeted Deployment
Data from Kaspersky indicates that the DAEMON Tools Supply Chain Attack triggered several thousand infection attempts across more than 100 countries. Affected regions include Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Despite the wide distribution, the second-stage malware has been deployed to only a small number of systems.
The targeted systems belong to sectors such as retail, scientific research, government, and manufacturing. These systems are located in regions including Russia, Belarus, and Thailand. The selective deployment suggests that the attackers filtered infected systems before delivering advanced payloads.
One of the identified payloads is QUIC RAT, a remote access tool designed to provide deeper system control. This payload was observed in a single case involving an educational institution. The limited use of this tool indicates a focused approach rather than broad deployment.
The attack remains unattributed, with no known threat group linked to the activity. However, the use of signed installers and delayed detection indicates a high level of technical capability. The compromise went undetected for nearly one month, allowing the attackers to operate within trusted environments.
This DAEMON Tools Supply Chain Attack adds to a series of supply chain attacks reported in 2026, involving software such as eScan, Notepad++, and CPUID. These attacks demonstrate how trusted software distribution channels can be exploited to bypass traditional security controls.
The findings highlight the importance of monitoring trusted applications and verifying software integrity even when sourced from official platforms. Organizations with DAEMON Tools installed are advised to review systems, isolate affected machines, and conduct detailed security checks to limit further exposure.
