Key Takeaways
- A supply‑chain compromise of the official DAEMON Tools website distributed trojanized installers from April 8 2026, affecting thousands of systems worldwide.
- The malicious binaries were digitally signed with legitimate AVB Disc Soft certificates, allowing them to bypass trust checks.
- Most victims received only an information‑collector payload; a sophisticated backdoor was delivered to roughly a dozen high‑value machines in Russia, Belarus, and Thailand.
- Attackers used a typosquatted C2 domain (env‑check.daemontools[.]cc) registered a week before the campaign began.
- Kaspersky disclosed the incident in early May 2026, prompting the vendor to release a clean version (12.6.0.2445) and to add detection rules across its product suite.
- The attack highlights the growing trend of supply‑chain abuse of trusted software and reinforces the need for zero‑trust principles, rigorous software‑supply‑chain vetting, and continuous monitoring for anomalous activity.
Overview of the Supply Chain Attack
Researchers at Securelist by Kaspersky identified that the official DAEMON Tools website began serving trojanized installers on April 8 2026. The compromised files were versions 12.5.0.2421 through 12.5.0.2434 of the popular disk‑image mounting utility. Because the installers retained the valid digital signature of AVB Disc Soft, the legitimate developer, they appeared trustworthy to users and security tools, enabling the malicious payloads to execute without raising immediate alarms. The attack persisted until the vendor issued a clean build on May 6 2026, after public disclosure forced a rapid remediation.
Timeline and Scope of Compromise
From April 8 to early May 2026, Kaspersky telemetry recorded thousands of attempted payload deployments via the trojanized binaries. The affected installations spanned more than 100 countries and territories, with notable concentrations in Russia, Brazil, Turkey, Spain, Germany, France, Italy, and China. Approximately 10 % of the compromised systems belonged to businesses or organizations, while the remainder were individual users. The broad reach indicates that the attackers initially pursued a wide‑net infection strategy before narrowing their focus to select high‑value targets.
Geographic Distribution and Victim Profile
The majority of infections were observed in Russia, followed by Brazil, Turkey, Spain, Germany, France, Italy, and China. However, the advanced backdoor payload was detected only on a dozen machines located in Russia, Belarus, and Thailand. These systems belonged to entities in the retail, scientific, government, and manufacturing sectors, suggesting a deliberate selection process after the initial mass infection. The disparity between the widespread information‑collector deployment and the scarce backdoor implants underscores a two‑stage approach: broad reconnaissance followed by precise targeting.
Technical Details of the Trojanized Installers
The malicious components were embedded within the DAEMON Tools installation directory and were signed with the same code‑signing certificate used by AVB Disc Soft for legitimate releases. When the affected binaries executed—typically during system startup—the malware hooked into the C Runtime (CRT) initialization code, launching a dedicated thread that persisted in memory. This technique allowed the payload to survive reboots and evade casual inspection, as the malicious code appeared to be part of the normal application start‑up routine.
Malware Behavior and Payload Delivery
Upon execution, the malware first attempted to deploy an information‑collector module on the infected host. This collector harvested basic system data, including the full computer name, and transmitted it via HTTP GET requests to a command‑and‑control (C2) server. The C2 domain, env‑check.daemontools[.]cc, is a typosquatted variation of the legitimate daemon-tools[.]cc site and was registered on March 27 2026, roughly one week before the first trojanized installer appeared. The collector’s primary role appears to be profiling victims to determine whether they merit further, more invasive payloads.
Targeted Backdoor Deployment
On a small subset of machines—approximately a dozen—the attackers delivered a second-stage backdoor. This payload is more complex, capable of receiving commands, exfiltrating files, and maintaining persistent access. Its deployment was limited to systems belonging to government, scientific, manufacturing, and retail organizations in Russia, Belarus, and Thailand, indicating that the threat actors used the collected profiling data to identify high‑value targets. The selective nature of this stage suggests motivations such as cyber‑espionage or “big game hunting,” although definitive attribution remains pending.
Attribution Indicators
Artifacts within the malicious implants point to a Chinese‑speaking threat actor. These include language‑specific strings, resource naming conventions, and certain code patterns observed in prior campaigns linked to Chinese‑origin groups. While the evidence is not conclusive enough to name a specific group, the linguistic clues, combined with the geographic concentration of the backdoor victims, allow analysts to infer a likely origin. The timing of the C2 domain registration and the use of a trusted software supply chain also resemble tactics seen in other recent, highly targeted operations.
Response, Mitigation, and Vendor Action
Following internal analysis, Kaspersky contacted AVB Disc Soft to coordinate remediation. On May 6 2026, after public disclosure, the vendor released DAEMON Tools version 12.6.0.2445, which removes the malicious behavior. Kaspersky simultaneously added detection signatures for the campaign in its Network Detection and Response (NDR) module via KATA, updated KEDR Expert rules, and confirmed coverage through its Managed Detection and Response (MDR) service. Users are advised to upgrade to the clean version, audit any systems that installed the compromised builds between April 8 and May 6 2026, and monitor for unusual outbound connections to env‑check.daemontools[.]cc.
Implications and Recommendations for Organizations
The DAEMON Tools incident underscores that even widely trusted applications can serve as effective vectors for supply‑chain compromise when attackers subvert legitimate code‑signing mechanisms. Organizations should adopt a zero‑trust stance toward software distribution: verify integrity through independent hashes, maintain an approved‑software whitelist, and employ application‑control solutions that block unsigned or unexpectedly signed binaries. Continuous monitoring for anomalous network traffic—especially connections to newly registered or typosquatted domains—is essential. Finally, regular red‑team exercises that simulate supply‑chain attacks can help validate defenses and improve incident‑response readiness before a breach occurs.