Kaspersky Exposes DAEMON Tools Supply Chain Attack Infecting Over 100,000 Users

1. Incident Overview

DAEMON Tools, a disk‑image mounting utility developed by AVB Disc Soft, had its Windows installer for versions 12.5.0.2421 to 12.5.0.2434 compromised. The supply‑chain attack persisted from 8 April 2026 until early May, affecting millions of users in over a hundred countries.

2. Technical Analysis: How the Attack Penetrated the Supply Chain

2.1 First Stage – Supply Chain Poisoning

The attackers breached the build and release pipeline, inserting a trojan into three core components— DTHelper.exe , DiscSoftBusServiceLite.exe and DTShellHlp.exe . All three binaries retained valid digital signatures from AVB Disc Soft, causing Windows driver‑signature enforcement and most security products to trust them implicitly. The modified files reside in the DAEMON Tools installation directory and execute automatically at system startup.

2.2 Second Stage – Remote Control Activation

Upon execution, the malicious files contact the command‑and‑control server env-check.daemontools[.]cc via an HTTP GET request. The domain, registered on 27 March 2026, was pre‑prepared by the attackers. The C2 server can return arbitrary shell commands that are run by cmd.exe on the compromised host.

2.3 Third Stage – Payload Delivery Chain

Kaspersky’s analysis shows a tiered payload strategy. First, envchk.exe, a .NET executable, gathers extensive system information (MAC address, hostname, DNS domain, process list, installed software, language settings) and sends it to the C2 server to assess target value. If the target is deemed valuable, the attackers drop cdg.exe and cdg.tmp. The latter is a shellcode loader that decrypts its payload and launches a minimalist backdoor capable of downloading files, executing shell commands, and running in‑memory shellcode. High‑value victims receive a QUIC RAT that supports multiple protocols (HTTP, UDP, TCP, WSS, QUIC, DNS, HTTP/3) and can inject malicious payloads into legitimate processes such as notepad.exe and conhost.exe.

3. Impact Scope

Kaspersky telemetry recorded thousands of payload delivery attempts during the active period. Infections spanned roughly a hundred countries, with the highest numbers in Russia, Brazil, Turkey, Spain, Germany, France, Italy and China. Most compromised hosts only received the information‑gathering component, but the full backdoor was delivered to a dozen systems concentrated in Russia, Belarus and Thailand across retail, research, government and manufacturing sectors, indicating a targeted espionage operation rather than a financially motivated attack.

4. Mitigation and Recommendations

AVB Disc Soft issued a remedial build, DAEMON Tools Lite 12.6.0.2445, which removes the malicious components. Recommended actions are:

Uninstall the current DAEMON Tools Lite version.

Run a full‑disk scan with trusted antivirus software.

Download and install the latest version (12.6.0.2445) from the official website.

For enterprise environments, isolate all hosts that have installed DAEMON Tools and conduct thorough network security investigations to prevent lateral movement.

5. Conclusion

The incident reinforces the principle that the software supply chain is the most efficient attack vector. When attackers control the build and distribution stages, signed installers bypass typical security checks, making detection extremely difficult. Defenders should enforce software‑source whitelisting, perform integrity verification of third‑party binaries, and continuously monitor for anomalous network communications.