An innocent routine software update mechanism has been weaponized by attackers in order to distribute malware through official distribution channels, enabling a stealthy global supply-chain compromise.
AVB Disc Soft authenticated digital certificates were used to sign trojanized builds as part of the operation that remained undetected for nearly a month.
By bypassing conventional trust and endpoint security mechanisms, these malicious packages were able to avoid triggering immediate suspicion. Kaspersky discovered that the campaign began on April 8, 2026, and resulted in thousands of infections in over 100 countries before the breach was detected on May 1, 2026.
Almost all infections were characterized by reconnaissance malware intended to gather system intelligence and establish persistence. However, a comparatively small number of carefully selected victims received advanced second-stage backdoors, suggesting a targeted attack on Russian, Belarusian, and Thai organizations involved in government, science, retail, and manufacturing.
Multiple core components of DAEMON Tools were modified, including DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe, and malicious functionality was embedded in versions 12.5.0.2421 through 12.5.0.2434, ensuring that execution occurs at startup while maintaining the appearance of legitimate software functionality.
According to the forensic analysis, the attackers had embedded their malicious framework within several trusted DAEMON Tools binaries, including the DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe that can be found within the installation directory of the application. Because the compromised binaries were signed by authentic AVB Disc Soft signing certificates, operating systems and endpoint security products perceived the compromised binaries as trustworthy, reducing the probability of immediate detection.
It has been determined that every time the affected binaries are executed during system startup, the CRT initialization routine initiates hidden backdoor functionality, initiating a dedicated background thread aimed at quietly establishing outbound communication with attacker-controlled infrastructure during system startup.
Throughout the attack, the malware repeatedly sent HTTP GET requests to a typosquatted domain that closely mimicked the legitimate DAEMON Tools download portal, as a method of mixing malicious traffic with expected software communications. According to WHOIS records, the fraudulent domain was registered on March 27, approximately one week before the supply chain intrusion occurred, indicating deliberate preparation of infrastructure prior to the attack by the campaign's operators.
Based on an analysis of the command-and-control infrastructure, it appeared that compromised systems were able to receive remotely issued shell commands via cmd.exe and PowerShell, which would allow attackers to download and execute additional payloads dynamically.
PowerShell's WebClient functionality was utilized to retrieve executable files from an Internet server located at 38.180.107[.]76 before silently executing them from temporary system directories and deleting all traces afterwards. In the course of the investigation, envchk.exe, a .NET-based information collector that researchers determined was intended to perform extensive reconnaissance on infected machines, was identified as one of the primary secondary payloads.
In the malware's source code, embedded Chinese-language strings suggest that the malware's operators are probably Chinese-speaking, but no official affiliation has yet been established for the threat group. This reconnaissance utility collected a broad range of information regarding the host, including MAC addresses, hostnames, DNS domains, installed software inventories, running process lists, system locale configurations, and other host information.
Following data collection, the collected data is transmitted back to attacker-controlled infrastructure via structured HTTP POST requests, providing the operators with a detailed profile of the compromised environment before deciding whether to escalate the intrusion.
Unsuspecting users were infected when they downloaded and installed trojanized yet legitimately signed installers for DAEMON Tools, which executed malicious code contained within trusted application components without the user knowing it.
After activation, the implanted payload established persistence mechanisms intended to survive reboots, as well as enabled the installation of a covert backdoor capable of communicating with remote attackers when the system is started.
The command infrastructure was also capable of dynamically delivering additional malware stages based on the victim’s profile and operational significance. It is generally considered to have functioned as a reconnaissance-oriented information stealer tasked with gathering system identifiers, including hostnames, MAC addresses, running processes, installed applications, and locale configurations, before transmitting the harvested telemetry to the operators for the purpose of assessing the environment and prioritizing victims.
The first-stage profiling phase of the investigation resulted in an evaluation of selected systems for further compromise. Using a lightweight backdoor that is capable of executing arbitrary commands, downloading files, and running malicious code directly in memory, selected systems were escalated to a second-stage compromise.
The attack on a Russian educational institution was escalated by the attackers by using QUIC RAT, a remote access malware strain capable of supporting a variety of communication protocols, as well as injecting malicious code into legitimate processes so that they could operate stealthily after the compromise.
Despite utilizing software distributed through official channels, the DAEMON Tools breach remained undetected for nearly a month as a highly coordinated and technically mature supply-chain intrusion. An investigation into DAEMON Tools installations conducted on or after April 8 was advised to conduct extensive threat-hunting operations to monitor for abnormal system behavior and unauthorized network activity related to the compromise period.
Researchers have avoided formally identifying the threat actor behind the campaign, but linguistic artifacts embedded within its first stage strongly suggest that Chinese-speaking operators were responsible.
Following earlier compromises involving eScan, Notepad++, and CPU-Z, the incident also illustrates the rising trend of software supply-chain attacks throughout 2026. In parallel with these campaigns, the increasing importance of trusted software ecosystems becoming high-value attack surfaces for sophisticated threat groups continues to be demonstrated, including Trivy, Checkmarx, and Glassworm, which target software repositories, development packages, and browser extensions.
The DAEMON Tools compromise proves that modern supply-chain attacks are not limited to niche targets or underground software ecosystems, but are increasingly exploiting widely used consumer and enterprise applications.
The attackers developed their attack strategy by leveraging trusted software certificates and official distribution channels in order to disguise malicious activity as legitimate software behavior while quietly gaining access to potentially high-value environments across multiple countries.
Security researchers have concluded that organizations must evolve beyond traditional trust-based security models and embrace continuous monitoring, behavioral detection, and software integrity validation practices that will enable them to identify malicious activity, even within applications that appear legitimate and have been signed.
A contemporary supply-chain intrusion illustrates how a single compromised software update can quickly escalate into a global cyber risk with far-reaching operational and national security consequences.
.jpg "Trojanized DAEMON Tools Used to Deploy Persistent Backdoor Malware")
.jpg)
