DAEMON Tools Installer Backdoored in Active Supply Chain Attack

Thousands of Windows systems have been compromised after attackers embedded malicious code into official installers for DAEMON Tools, a widely used virtual drive utility. The DAEMON Tools supply chain attack has been running since April 8, 2026, remained undetected for close to a month, and is still active at the time of publication. Installations downloaded directly from the legitimate vendor website delivered a backdoor alongside the expected software.

How the DAEMON Tools Supply Chain Attack Worked

The attackers compromised three core binaries inside the software package: DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe.These files are installed in the default DAEMON Tools directory and are executed at every system startup.

Critically, all three tampered files carry valid digital signatures from AVB Disc Soft, the software's developer. That means standard security checks based on certificate verification would not flag the installers as suspicious. The compromised versions span from build 12.5.0.2421 through 12.5.0.2434. Only the Windows version was affected.

Once a compromised binary launches, a backdoor embedded in the C Runtime initialization code activates in a dedicated thread. It sends HTTP GET requests to a command-and-control server designed to closely mimic the legitimate daemon-tools[.]cc domain. That server was registered approximately one week before the campaign began.

A Tiered Attack With Targeted Ambitions

The infection chain operates in stages, with each subsequent stage deployed to a smaller, more deliberately chosen set of victims.

The first stage is an information-gathering payload. It collects the hostname, MAC address, DNS domain name, running processes, installed software, and system locale, then transmits that data back to the attackers. The malware is written in .NET and contains strings in Chinese, a nearly indicator pointing toward the origin of the operators.

Based on the profiling data received, attackers selectively push a second-stage implant: a lightweight backdoor capable of executing shell commands, downloading additional files, and running code directly in memory. This payload reached only around a dozen machines. Victims at this stage were organizations in the retail, scientific, government, and manufacturing sectors, located in Russia, Belarus, and Thailand.

In at least one documented case, attackers deployed a third and more advanced implant dubbed QUIC RAT against a Russian educational institution. This backdoor is written in C++, obfuscated using control flow flattening, and statically linked with the WolfSSL library. It supports a broad range of command-and-control communication protocols including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. QUIC RAT also injects payloads directly into legitimate system processes, specifically notepad.exe and conhost.exe, to blend into normal process activity.

Researchers noted typos and inconsistencies in commands executed at the second and third stages, including strings like "chiper" and "rypto.dll." These errors suggest the later phases involved hands-on, manual intervention by the operators, rather than automated execution.

Scale and Attribution

Since April 8, thousands of payload deployment attempts have been recorded across more than 100 countries. Geographically, the widest spread of infections hit home users in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China.

Roughly 10% of affected systems belong to organizations. The contrast between the broad first-stage infection footprint and the narrow selection of machines receiving follow-on payloads is telling. The attackers ran a wide net to gather profiling data, then applied highly selective criteria to decide who was worth pursuing further.

The campaign has not been attributed to a known threat actor. Analysts have identified Chinese-language artifacts within the implants, which points toward a Chinese-speaking adversary, but no firm attribution has been established.

Part of a Broader 2026 Surge

This DAEMON Tools supply chain attack is the fourth of its kind that security researchers have investigated in 2026 alone. Similar compromises targeted eScan in January, Notepad++ in February, and CPU-Z in April.

The pattern is consistent. Attackers focus on widely used, trusted utilities. They compromise the official distribution channel, sign the malicious installers with legitimate certificates, and rely on users' implicit trust in software they have downloaded from the vendor's own website. Perimeter defenses are largely ineffective against this approach because the payload is indistinguishable from an expected software update until the backdoor activates.

The timeline here also mirrors the 3CX supply chain compromise of 2023, which similarly went undetected for approximately one month before the security community identified it.

What Organizations Should Do Now

AVB Disc Soft has been notified of the breach. Any organization or individual who installed DAEMON Tools after April 8 should treat the affected system as potentially compromised.

Security teams are advised to identify and isolate any endpoints where versions 12.5.0.2421 through 12.5.0.2434 were installed. Monitoring for unusual outbound HTTP connections, unexpected PowerShell execution, or anomalous activity in notepad.exe or conhost.exe processes is a practical starting point for threat hunting. The typosquatted domain env-check.daemontools[.]cc and the IP address 38.180.107[.]76 should be blocked at the network perimeter.

Individual users should uninstall the affected version and run a full system scan. The attack may have established persistence through startup entries that survive a simple software removal.

The broader takeaway extends well beyond this incident. Supply chain attacks succeed because organizations extend unconditional trust to signed software from known vendors. Validating that trust, through behavioral monitoring, network telemetry, and endpoint visibility, is no longer optional. It is a core part of any functional security posture.