### Compromised Installers and Malicious Payload According to **Kaspersky** researchers Igor Kuznetsov, Georgy Kucherin, Leonid Bezvershenko, and Anton Kargin, the trojanized installers were distributed from the legitimate **DAEMON Tools** website and signed with digital certificates belonging to the software developers. Versions 12.5.0.2421 to 12.5.0.2434 have been identified as compromised. **AVB Disc Soft**, the developer of **DAEMON Tools**, has been notified of the breach. ### Tampered Components Three components of **DAEMON Tools** were tampered with: * DTHelper.exe * DiscSoftBusServiceLite.exe * DTShellHlp.exe When these binaries are launched, an implant is activated, sending an HTTP GET request to an external server (`env-check.daemontools[.]cc`) to receive a shell command. This domain was registered on March 27, 2026. ### Multi-Stage Payload Delivery The shell command downloads and executes a series of payloads, including: * envchk.exe: A .NET executable for collecting system information. * cdg.exe and cdg.tmp: A shellcode loader decrypting and launching a minimalist backdoor. This backdoor contacts a remote server to download files, run shell commands, and execute shellcode payloads in memory. ### Targeted Infections **Kaspersky** observed thousands of infection attempts across more than 100 countries, including Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the next-stage backdoor was delivered only to a dozen hosts, indicating a targeted approach. The compromised systems belong to retail, scientific, government, and manufacturing organizations in Russia, Belarus, and Thailand. One of the payloads delivered is a remote access trojan (RAT) called **QUIC RAT**. A C++ implant was also observed targeting an educational institution in Russia. ### Advanced Capabilities and Attribution The malware supports various command-and-control (C2) protocols, including HTTP, UDP, TCP, WSS, QUIC, DNS, and HTTP/3. It can inject payloads into legitimate processes like `notepad.exe` and `conhost.exe`. While the activity has not been attributed to a known threat actor, evidence suggests a Chinese-speaking adversary. ### Growing Trend of Supply Chain Attacks The **DAEMON Tools** compromise is the latest in a series of software supply chain incidents in 2026, following breaches involving **eScan**, **Notepad++**, and **CPUID**. "A compromise of this nature bypasses traditional perimeter defenses because users implicitly trust digitally signed software downloaded directly from an official vendor," said Kucherin, senior security researcher at **Kaspersky** GReAT. He added, "Given the high complexity of the compromise, it is thus of paramount importance for organizations to isolate machines having Daemon Tools software installed, as well as to conduct security sweeps to prevent further spreading of malicious activities inside corporate networks."